How to disable TRACE method in Sun Java Web server and check this ?

For security reason, it is sometimes needed to disable TRACE method in Sun Java Web server, see


 http://sunsolve.sun.com/search/document.do?assetkey=1-66-200171-1

 One common mistake is when you just cut and paste it into the telnet window for obj.conf,


"


              <Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>

 "


You must remove the spaces in front of <Client...> and  </Client>.


Also, the long line of  AuthTrans is ONE SINGLE line.


Then, you can restart and test it.


e.g. in my env,

<Object name="default">
<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>
....



then cu can test to see TRACE is disabled, e.g.

apple:/export/home/iws6.1sp8/https-trace-1/config> telnet apple.asia 60012
Trying 129.158.175.16...
Connected to apple.asia.sun.com.
Escape character is '\^]'.
TRACE / HTTP/1.1
Host: apple.asia

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 24 Jun 2008 07:31:35 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.



When we do not have the change above to disable TRACE, you will see below default response :

apple:/export/home/iws6.1sp7> telnet apple.asia 61701
Trying 129.158.175.16...
Connected to apple.asia.sun.com.
Escape character is '\^]'.
TRACE / HTTP/1.1
Host: apple.asia

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 24 Jun 2008 07:33:50 GMT
Content-type: message/http
Transfer-encoding: chunked

0026
TRACE / HTTP/1.1
Host: apple.asia


0

I hope this above will help cu to check if their TRACE is disabled correctly after their change.


For SSL, you can test as follows:


 host40:/abc/web7u12/https-ssl> openssl s_client -quiet -connect  host40.abc.com:443
...
TRACE / HTTP/1.1
Host: host40.abc.com

HTTP/1.1 200 OK
Server: Oracle-iPlanet-Web-Server/7.0
Date: Thu, 30 Aug 2012 02:31:26 GMT
Content-type: message/http
Transfer-encoding: chunked

26
TRACE / HTTP/1.1
Host: host40.abc.com


0




Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Wing-Yip Walter Lee

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today