[PAX WEB] Configure allowed http methods

26 views
Skip to first unread message

Daniel Stoch

unread,
Dec 28, 2021, 11:32:25 AM12/28/21
to OPS4J
Hi,

I am using PaxWeb 7.2.x and servlet registration using whiteboard.
By default Jetty allows to call OPTIONS http method which returns:

Allow: GET, HEAD, POST, TRACE, OPTIONS

For other known methods a proper 403 error is returned.
For other unknown methods (eg. BLABLA) 501 is returned (maybe not the best options from security reasons).
For TRACE method PaxWeb raises an exception and return 500 (I don't not why it is blocked in PaxWeb code?).

I need to limit this list of allowed methods for my app, eg. only to: GET, POST.
And then server should return 403 for all others.

I can implement a dedicated servlet filter for this, but maybe it is another a better way to do this? Especially when the OPTIONS method will be available server should return only configured Allowed methods in response header.

Is there any options for doing this in PaxWeb 7 using whiteboard? Or maybe it should be done directly in Jetty configuration using jetty.xml?

--
Best regards,
Daniel Stoch

Grzegorz Grzybek

unread,
Jan 10, 2022, 7:45:53 AM1/10/22
to op...@googlegroups.com
Hello

Thanks for the summary of the problem - actually I never thought about OPTIONS method ;)

So let me present the picture:
  • TRACE method is disabled at Pax Web level itself and it was implemented with https://github.com/ops4j/org.ops4j.pax.web/issues/563 / PAXWEB-229 >10 years ago. I have no idea why HTTP/500 (Internal Server Error) instead of HTTP/405 (Method Not Allowed) was chosen...
  • Because runtimes (Jetty/Tomcat/Undertow) aren't aware of PAXWEB-229, it means OPTIONS still returns TRACE
  • In Pax Web 8 I've reimplemented the TRACE method removal using runtime-specific mechanisms:
    • Jetty: org.ops4j.pax.web.service.jetty.internal.PaxWebServletHandler#doHandle()
    • Tomcat: org.apache.catalina.connector.Connector#setAllowTrace(false) (no way to configure it to true)
    • Undertow: io.undertow.server.handlers.DisallowedMethodsHandler - configured using http(s)-listener/@disallowed-methods attribute (defaults to "TRACE").
  • In Pax Web 7 looks like it's only for Jetty, nothing for Tomcat and "disallowed-methods" attribute is not handled for Undertow (it is in Pax Web 8)
So you made me realize, that OPTIONS method may return TRACE on Pax Web 8 for Jetty runtime. It should be fine on Tomcat and Undertow, but I've created https://github.com/ops4j/org.ops4j.pax.web/issues/1664 to check this.

regards
Grzegorz Grzybek

--
--
------------------
OPS4J - http://www.ops4j.org - op...@googlegroups.com

---
You received this message because you are subscribed to the Google Groups "OPS4J" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ops4j+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/329ce887-9d33-411b-8797-cae4ab9aa08bn%40googlegroups.com.

Daniel Stoch

unread,
Feb 2, 2022, 12:54:39 PM2/2/22
to OPS4J
Hi,

Thanks for your answer and fix for TRACE, OPTIONS methods.
But what about my other question:
"I need to limit this list of allowed methods for my app, eg. only to: GET, POST."

You wrote something about "disallowed-methods":
  • In Pax Web 7 looks like it's only for Jetty, nothing for Tomcat and "disallowed-methods" attribute is not handled for Undertow (it is in Pax Web 8)
but I don't understand how I can use it?


PS. I mistook the HTTP error code in my previous message - I wrote about 403 instead of 405, but I see that you corrected it in your answer :)

--
Best regards,
Daniel

Reply all
Reply to author
Forward
0 new messages