How to disable TRACE method in Sun Java Web server and check this ?
Tuesday Jun 24, 2008
For security reason, it is sometimes needed to disable TRACE method in Sun Java Web server, see
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200171-1
One common mistake is when you just cut and paste it into the telnet window for obj.conf,
"
<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>
"
You must remove the spaces in front of <Client...> and </Client>.
Also, the long line of AuthTrans is ONE SINGLE line.
Then, you can restart and test it.
e.g. in my env,
<Object name="default">
<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>
....
then cu can test to see TRACE is disabled, e.g.
apple:/export/home/iws6.1sp8/https-trace-1/config> telnet apple.asia 60012
Trying 129.158.175.16...
Connected to apple.asia.sun.com.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: apple.asia
HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 24 Jun 2008 07:31:35 GMT
Content-length: 148
Content-type: text/html
Connection: close
<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.
When we do not have the change above to disable TRACE, you will see below default response :
apple:/export/home/iws6.1sp7> telnet apple.asia 61701
Trying 129.158.175.16...
Connected to apple.asia.sun.com.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: apple.asia
HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 24 Jun 2008 07:33:50 GMT
Content-type: message/http
Transfer-encoding: chunked
0026
TRACE / HTTP/1.1
Host: apple.asia
0
I hope this above will help cu to check if their TRACE is disabled correctly after their change.
|
|
|
|
