Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Disable invalid HTTP method error page
Hi Silvio,

Both the jetty unit tests and informal testing show that jetty will return an error 403 Forbidden. For example, see: https://github.com/eclipse/jetty.project/blob/master/jetty-security/src/test/java/org/eclipse/jetty/security/SpecExampleConstraintTest.java#L264

Section 13.8.4.2 of the 3.1 Servlet Spec requires that 403 Forbidden is returned for denied uncovered methods:

"When the deny-uncovered-http-methods flag is set in the web.xml of an
application, the container must deny any HTTP protocol method when it is used
with a request URL for which the HTTP method is uncovered at the combined
security constraint that applies to the url-pattern that is the best match for the
request URL. The denied request shall be rejected as forbidden and a 403
(SC_FORBIDDEN) status code shall be returned."

Hope that helps,
Jan

On 14 January 2016 at 21:54, Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx> wrote:
Hello all,

I am using Jetty 9.3.6.v20151106 and use ConstraintSecurityHandler to explicitly cover HTTP methods. I have called securityHandler.setDenyUncoveredHttpMethods(true).

The problem is that Jetty does not actually deny the methods with a status 405 but instead returns an HTML page containing an error message. Security scanners employed by several of my customers flag this as allowing potentially harmful methods.

How can I get Jetty to 405 uncovered methods? Do I have to cover them and 405 them myself?

Thanks,

Silvio

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--
Jan Bartel <janb@xxxxxxxxxxx>
www.webtide.com
Expert assistance from the creators of Jetty and CometD

Back to the top