Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
outlinh1. true
outlinh1. true
1printablefalse
2stylh1. none
3indent20px

[JettySecurity]

Trace is used as an input data echo logging mechanism for the http HTTP protocol. This request method is commonly used for debug and other connection analysis activities.
The http HTTP trace request (containing request line, headers, post data), sent to a trace supporting web server, will respond to the client with the information contained in the request.

Trace provides any an easy to way to tell what an http HTTP client is sending and what the server is receiving. Apache, IIS, and iPlanet all support trace as defined by the HTTP/1.1 RFC and is currently enabled by default. Very few system administrators have disabled this request method either because the method posed exposed no known risk, default settings were considered good enough or simply had no option to do so.

But in fact there is a risk since your web server echoes sensitive information in TRACE Trace requests.

The standar standard way to disable trace in jetty is the configuration of the web.xml like

Code Block
languagexml
<security-constraint>

...


 	<web-resource-collection>

...


 		<web-resource-name>NoTrace</web-resource-name>

...


 		<url-pattern>/*</url-pattern>

...


 		<http-method>TRACE</http-method>

...


 	</web-resource-collection>

...


 	<auth-constraint>

...


 	</auth-constraint>

...


</security-constraint>

This does not work with jetty Jetty running in JobScheduler. This is the reason , why we have disabled the trace method in jetty plugin.the Jetty plugin starting with release 1.7.xxxx