How to disable http TRACE method in jetty 9.4?

Community Beginner ,
May 23, 2019 May 23, 2019

Copy link to clipboard

Copied

Coldfusion 11. I use server monitoring, which is configured on jetty.port. How to disable http TRACE, OPTIONS methods on jetty.port?

TOPICS
Security

Views

2.4K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
May 23, 2019 May 23, 2019

Copy link to clipboard

Copied

First note that that jetty is used by the monitor ONLY if you enable the "monitoring server" button on the CF Admin "server monitoring>monitoring settings" page. That simply enables accessing that monitor on that jetty port. Otherwise, you can access the CF monitor on the same port as the CF Admin.

And if you are NOT using that Jetty for that or any other use, then you can just disable it entirely. Or you can limit what IP address it listens on. Both can be done in the jetty.xml file. There's some discussion of modifying that here: ColdFusion Help | Work with Server Monitor

But if you NEED it enabled, then there's no discussion of disabling those option types you request. But here's the first result of searching for how to control options for jetty. Seems like it would work.

java - Disable OPTIONS Method Jetty Server - Stack Overflow

And as it indicates, the webdefault.xml file it refers to C:\ColdFusion10\cfusion\jetty\etc folder. But I have not tried it.


/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 24, 2019 May 24, 2019

Copy link to clipboard

Copied

Thanks for the idea of using the CFAdmin port for monitoring the server. In this case, everything is solved through WEB-INF/web.xml

<security-constraint>

    <web-resource-collection>

        <web-resource-name>NoTrace</web-resource-name>

        <url-pattern>/*</url-pattern>

        <http-method>TRACE</http-method>

    </web-resource-collection>

    <auth-constraint>

    </auth-constraint>

</security-constraint>

webdefault.xml did not work for me ((

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
May 28, 2019 May 28, 2019

Copy link to clipboard

Copied

Glad to help, and thanks for the update.

And as for the webdefault.xml that the doc referred to, perhaps that serves as a template/original for what ends up in that web.xml you tweaked. Can you clarify for folks where that WEB-INF folder is? There are indeed multiples of them within cf's subfolders.


/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 28, 2019 May 28, 2019

Copy link to clipboard

Copied

LATEST

1) It can be used as a server
.../cfusion/runtime/conf/web.xml

and for the application
... /cfusion/wwwroot/WEB-INF/web.xml

2) At first I tried to do it through jetty.xml. Below is an example, The server starts without errors, but the TRACE, OPTIONS methods return http 200 ((

Set handler Collection Structure

<!-- =========================================================== -->

<!-- Set handler Collection Structure                            -->

<!-- =========================================================== -->

<Set name="handler">

  <New class="org.eclipse.jetty.server.handler.HandlerCollection" id="Handlers">

    <Set name="handlers">

     <Array type="org.eclipse.jetty.server.Handler">

      <Item>

         <New class="org.eclipse.jetty.servlet.ServletContextHandler" id="ServletContext">

            <!-- <Arg>org.eclipse.jetty.servlet.ServletContextHandler.SESSIONS</Arg>  -->

             <Arg type="int">1</Arg>  <!-- in Jetty 7 Value for SESSIONS is 1. giving it programatically was not working. -->

            <Set name="ContextPath">/</Set>

            <!--Bug 3300531 When monitoring server is enabled ColdFusion JSESSIONID is getting replaced by Jetty JSESSIONID

            changing the name to CFMONJSESSIONID

            -->

            <Set name="SessionHandler">

              <New class="org.eclipse.jetty.server.session.SessionHandler">

                        <Set name="SessionCookie">CFMONJSESSIONID</Set>

                        <Set name="SessionIdPathParameterName">CFMONJSESSIONID</Set>

              </New>

            </Set>

<!-- Disable TRACE,OPTIONS methods (BEGIN)                            -->

<Set name="handler">

<New  class="org.eclipse.jetty.security.ConstraintSecurityHandler">

  <New class="org.eclipse.jetty.util.security.Constraint" id="c">

        <Set name="Name">auth</Set>

        <Set name="Authenticate">true</Set>

        <Set name="Roles">

                <Array type="java.lang.String">

                  <Item>*</Item>

                </Array>

        </Set>

  </New>

        <Set name="ConstraintMappings">

            <Array type="org.eclipse.jetty.security.ConstraintMapping">

                <Item>

                <New id="cmt" class="org.eclipse.jetty.security.ConstraintMapping">

                        <Set name="Constraint"><Ref refid="c"/></Set>

                        <Set name="Method">TRACE</Set>

                        <Set name="PathSpec">/*</Set>

                </New>

                </Item>

                <Item>

                <New id="cmo" class="org.eclipse.jetty.security.ConstraintMapping">

                        <Set name="Constraint"><Ref refid="c"/></Set>

                        <Set name="Method">OPTIONS</Set>

                        <Set name="PathSpec">/*</Set>

                </New>

                </Item>

           </Array>

        </Set>

</New>

</Set>

<!-- Disable TRACE,OPTIONS methods (END)                            -->

                <Call name="addServlet">

                      <Arg>

                          <New class="org.eclipse.jetty.servlet.ServletHolder">

                              <Arg>

                                  <New class="coldfusion.monitor.jetty.server.MonitoringServlet">

                                  </New>

                            </Arg>   

                        </New>   

                    </Arg>

                    <Arg>/crossdomain.xml,/flex2gateway/*,/CFIDE/administrator/monitor/*,/CFIDE/administrator/help/*</Arg>

                </Call>

                <Call name="addServlet">

                      <Arg>

                          <New class="org.eclipse.jetty.servlet.ServletHolder">

                              <Arg>

                                  <New class="coldfusion.util.CFFileServlet">

                                  </New>

                            </Arg>   

                        </New>

                    </Arg>

                    <Arg>/CFPDFServiceFileServlet/*</Arg>

                </Call>

                <Call name="addFilter">

                    <Arg>

                        <New class="org.eclipse.jetty.servlet.FilterHolder">

                            <Arg>

                                <New class="coldfusion.filter.HTTPMethodFilter"></New>

                            </Arg>

                            <Call name="setInitParameter">

                                <Arg>allowedHTTPMethods</Arg>

                                <Arg>GET,POST</Arg>

                            </Call>

                        </New>

                    </Arg>

                    <Arg>/*</Arg>

                    <Arg>

                        <Call class="java.util.EnumSet" name="allOf">

                            <Arg>

                                <Get class="javax.servlet.DispatcherType" name="class">

                                </Get>

                            </Arg>

                        </Call>

                    </Arg>

                </Call>

            </New>

           </Item>

           <!-- 

           <Item>

             <New id="RequestLog" class="org.eclipse.jetty.server.handler.RequestLogHandler"/>

           </Item>

           -->

      <!--

     -->

         </Array>

        </Set>

      </New>

    </Set>

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines