I am not. My embedding code is very minimal and apart from the
connector stuff (which is a bit more elaborate) consists only of:
ServletHolder
ServletContextHandler
ContextHandlerCollection
Server
But I have noticed something I overlooked: the status codes returned
are indicative of an error but there is also HTML content in the
response. I was unaware that this was normal and expected no content
to be returned in case of an error status. Strangely I never looked
into this.
Since curl does not show the status code by default I concluded too
quickly that the methods where not denied properly, which they are.
Now I am wondering why three independent security scans that where
done on my systems report my HTTP server allowing PUT/DELETE and
TRACE when I see a 4xx status being returned.
Still investigating...
Thanks.
Silvio
On 01/15/2016 04:41 PM, Joakim Erdfelt
wrote:
If you are using a WebAppContext, then the
ConstraintSecurityHandler can be used.
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
|