Skip to main content
saman2004
saman2004
Participant
May 23, 2019
Question

How to disable http TRACE method in jetty 9.4?

  • May 23, 2019
  • 1 reply
  • 5510 views

Coldfusion 11. I use server monitoring, which is configured on jetty.port. How to disable http TRACE, OPTIONS methods on jetty.port?

This topic has been closed for replies.

1 reply

Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
May 23, 2019

First note that that jetty is used by the monitor ONLY if you enable the "monitoring server" button on the CF Admin "server monitoring>monitoring settings" page. That simply enables accessing that monitor on that jetty port. Otherwise, you can access the CF monitor on the same port as the CF Admin.

And if you are NOT using that Jetty for that or any other use, then you can just disable it entirely. Or you can limit what IP address it listens on. Both can be done in the jetty.xml file. There's some discussion of modifying that here: ColdFusion Help | Work with Server Monitor

But if you NEED it enabled, then there's no discussion of disabling those option types you request. But here's the first result of searching for how to control options for jetty. Seems like it would work.

java - Disable OPTIONS Method Jetty Server - Stack Overflow

And as it indicates, the webdefault.xml file it refers to C:\ColdFusion10\cfusion\jetty\etc folder. But I have not tried it.

/Charlie (troubleshooter, carehart. org)
saman2004
saman2004Author
Participant
May 24, 2019

Thanks for the idea of using the CFAdmin port for monitoring the server. In this case, everything is solved through WEB-INF/web.xml

<security-constraint>

    <web-resource-collection>

        <web-resource-name>NoTrace</web-resource-name>

        <url-pattern>/*</url-pattern>

        <http-method>TRACE</http-method>

    </web-resource-collection>

    <auth-constraint>

    </auth-constraint>

</security-constraint>

webdefault.xml did not work for me ((

Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
May 28, 2019

Glad to help, and thanks for the update.

And as for the webdefault.xml that the doc referred to, perhaps that serves as a template/original for what ends up in that web.xml you tweaked. Can you clarify for folks where that WEB-INF folder is? There are indeed multiples of them within cf's subfolders.

/Charlie (troubleshooter, carehart. org)
Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices