| Table of Contents | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Trace is used as an input data echo logging mechanism for the http HTTP protocol. This request method is commonly used for debug and other connection analysis activities.
The http HTTP trace request (containing request line, headers, post data), sent to a trace supporting web server, will respond to the client with the information contained in the request.
Trace provides any an easy to way to tell what an http HTTP client is sending and what the server is receiving. Apache, IIS, and iPlanet all support trace as defined by the HTTP/1.1 RFC and is currently enabled by default. Very few system administrators have disabled this request method either because the method posed exposed no known risk, default settings were considered good enough or simply had no option to do so.
But in fact there is a risk since your web server echoes sensitive information in TRACE Trace requests.
The standard way to disable trace in jetty is the configuration of the web.xml like
| Code Block | ||
|---|---|---|
| ||
<security-constraint> <web-resource-collection> <web-resource-name>NoTrace</web-resource-name> <url-pattern>/*</url-pattern> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint> </auth-constraint> </security-constraint> |
This does not work with jetty Jetty running in JobScheduler. This is the reason , why we have disabled the trace method in jetty plugin in the version the Jetty plugin starting with release 1.7.xxxx