Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7114

Disable HTTP TRACE method on CXF http-jetty transport

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Minor
          • Resolution: Fixed
          • Affects Version/s: 3.0.4
          • Fix Version/s: 3.1.9, 3.0.12, 3.2.0
          • Component/s: Transports
          • Labels:
            None
          • Estimated Complexity:
            Unknown
          • Flags:
            Patch

            Description

            We had a security scan and found that standalone CXF endpoint using http-jetty transport still had HTTP TRACE method enabled. It is considered as a security risk.

            It's not a problem if the CXF http-jetty transport is used with Pax Web as Pax Web had already had it's embedded Jetty engine's HTTP TRACE method disabled by default.

            So we should disable HTTP TRACE method in JettyHTTPHandler. Please find attached patch.txt for more detail.

              Attachments

                Activity

                  People

                  • Assignee:
                    sergey_beryozkin Sergey Beryozkin
                    Reporter:
                    joeluo Joe Luo
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: