Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7114

Disable HTTP TRACE method on CXF http-jetty transport

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 3.0.4
    • 3.1.9, 3.0.12, 3.2.0
    • Transports
    • None
    • Unknown
    • Patch

    Description

      We had a security scan and found that standalone CXF endpoint using http-jetty transport still had HTTP TRACE method enabled. It is considered as a security risk.

      It's not a problem if the CXF http-jetty transport is used with Pax Web as Pax Web had already had it's embedded Jetty engine's HTTP TRACE method disabled by default.

      So we should disable HTTP TRACE method in JettyHTTPHandler. Please find attached patch.txt for more detail.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            sergey_beryozkin Sergey Beryozkin
            joeluo Joe Luo
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment