Copy link to clipboard
Copied
Coldfusion 11. I use server monitoring, which is configured on jetty.port. How to disable http TRACE, OPTIONS methods on jetty.port?
Copy link to clipboard
Copied
First note that that jetty is used by the monitor ONLY if you enable the "monitoring server" button on the CF Admin "server monitoring>monitoring settings" page. That simply enables accessing that monitor on that jetty port. Otherwise, you can access the CF monitor on the same port as the CF Admin.
And if you are NOT using that Jetty for that or any other use, then you can just disable it entirely. Or you can limit what IP address it listens on. Both can be done in the jetty.xml file. There's some discussion of modifying that here: ColdFusion Help | Work with Server Monitor
But if you NEED it enabled, then there's no discussion of disabling those option types you request. But here's the first result of searching for how to control options for jetty. Seems like it would work.
java - Disable OPTIONS Method Jetty Server - Stack Overflow
And as it indicates, the webdefault.xml file it refers to C:\ColdFusion10\cfusion\jetty\etc folder. But I have not tried it.
Copy link to clipboard
Copied
Thanks for the idea of using the CFAdmin port for monitoring the server. In this case, everything is solved through WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>NoTrace</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
webdefault.xml did not work for me ((
Copy link to clipboard
Copied
Glad to help, and thanks for the update.
And as for the webdefault.xml that the doc referred to, perhaps that serves as a template/original for what ends up in that web.xml you tweaked. Can you clarify for folks where that WEB-INF folder is? There are indeed multiples of them within cf's subfolders.
Copy link to clipboard
Copied
1) It can be used as a server
.../cfusion/runtime/conf/web.xml
and for the application
... /cfusion/wwwroot/WEB-INF/web.xml
2) At first I tried to do it through jetty.xml. Below is an example, The server starts without errors, but the TRACE, OPTIONS methods return http 200 ((
Set handler Collection Structure |
---|
<!-- =========================================================== --> <!-- Set handler Collection Structure --> <!-- =========================================================== --> <Set name="handler"> <New class="org.eclipse.jetty.server.handler.HandlerCollection" id="Handlers"> <Set name="handlers"> <Array type="org.eclipse.jetty.server.Handler"> <Item> <New class="org.eclipse.jetty.servlet.ServletContextHandler" id="ServletContext"> <!-- <Arg>org.eclipse.jetty.servlet.ServletContextHandler.SESSIONS</Arg> --> <Arg type="int">1</Arg> <!-- in Jetty 7 Value for SESSIONS is 1. giving it programatically was not working. --> <Set name="ContextPath">/</Set> <!--Bug 3300531 When monitoring server is enabled ColdFusion JSESSIONID is getting replaced by Jetty JSESSIONID changing the name to CFMONJSESSIONID --> <Set name="SessionHandler"> <New class="org.eclipse.jetty.server.session.SessionHandler"> <Set name="SessionCookie">CFMONJSESSIONID</Set> <Set name="SessionIdPathParameterName">CFMONJSESSIONID</Set> </New> </Set> <!-- Disable TRACE,OPTIONS methods (BEGIN) --> <Set name="handler"> <New class="org.eclipse.jetty.security.ConstraintSecurityHandler"> <New class="org.eclipse.jetty.util.security.Constraint" id="c"> <Set name="Name">auth</Set> <Set name="Authenticate">true</Set> <Set name="Roles"> <Array type="java.lang.String"> <Item>*</Item> </Array> </Set> </New> <Set name="ConstraintMappings"> <Array type="org.eclipse.jetty.security.ConstraintMapping"> <Item> <New id="cmt" class="org.eclipse.jetty.security.ConstraintMapping"> <Set name="Constraint"><Ref refid="c"/></Set> <Set name="Method">TRACE</Set> <Set name="PathSpec">/*</Set> </New> </Item> <Item> <New id="cmo" class="org.eclipse.jetty.security.ConstraintMapping"> <Set name="Constraint"><Ref refid="c"/></Set> <Set name="Method">OPTIONS</Set> <Set name="PathSpec">/*</Set> </New> </Item> </Array> </Set> </New> </Set> <!-- Disable TRACE,OPTIONS methods (END) --> <Call name="addServlet"> <Arg> <New class="org.eclipse.jetty.servlet.ServletHolder"> <Arg> <New class="coldfusion.monitor.jetty.server.MonitoringServlet"> </New> </Arg> </New> </Arg> <Arg>/crossdomain.xml,/flex2gateway/*,/CFIDE/administrator/monitor/*,/CFIDE/administrator/help/*</Arg> </Call> <Call name="addServlet"> <Arg> <New class="org.eclipse.jetty.servlet.ServletHolder"> <Arg> <New class="coldfusion.util.CFFileServlet"> </New> </Arg> </New> </Arg> <Arg>/CFPDFServiceFileServlet/*</Arg> </Call> <Call name="addFilter"> <Arg> <New class="org.eclipse.jetty.servlet.FilterHolder"> <Arg> <New class="coldfusion.filter.HTTPMethodFilter"></New> </Arg> <Call name="setInitParameter"> <Arg>allowedHTTPMethods</Arg> <Arg>GET,POST</Arg> </Call> </New> </Arg> <Arg>/*</Arg> <Arg> <Call class="java.util.EnumSet" name="allOf"> <Arg> <Get class="javax.servlet.DispatcherType" name="class"> </Get> </Arg> </Call> </Arg> </Call> </New> </Item> <!-- <Item> <New id="RequestLog" class="org.eclipse.jetty.server.handler.RequestLogHandler"/> </Item> --> <!-- --> </Array> </Set> </New> </Set> |