Details
-
Feature
-
Status: Approved (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
Trace is used as an input data echo mechanism for the http protocol. This request method is commonly used for debug and other connection analysis activities.
The http trace request (containing request line, headers, post data), sent to a trace supporting web server, will respond to the client with the information contained in the request.
Trace provides any easy to way to tell what an http client is sending and what the server is receiving. Apache, IIS, and iPlanet all support trace as defined by the HTTP/1.1 RFC and is currently enabled by default. Very few system administrators have disabled this request method either because the method posed no known risk, default settings were considered good enough or simply had no option to do so.
But in fact there is a risk since your web server echoes sensitive information in TRACE requests.
The standard way to disable trace in jetty is the configuration of the web.xml like
<security-constraint>
<web-resource-collection>
<web-resource-name>NoTrace</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
This does not work with jetty running in JobScheduler.