Http trace methods allowed

Similar Messages

• Disabling Web Server HTTP Trace/Track Method

  How is it possible to disable the Web Server HTTP Trace/Track Method under SJS 7.x?
  As per out internal Qualys Scan report:
  A Web server was detected that supports the HTTP TRACE method. This method allows debugging and connection trace analysis for connections from the client to the Web server. Per the HTTP specification, when this method is used, the Web server echoes back the information sent to it by the client unmodified and unfiltered. Microsoft IIS web server uses an alias TRACK for this method, and is functionally the same.
  A vulnerability related to this method was discovered. A malicious, active component in a Web page can send Trace requests to a Web server that supports this Trace method. Usually, browser security disallows access to Web sites outside of the present site's domain. Although unlikely and difficult to achieve, it's possible, in the presence of other browser vulnerabilities, for the active HTML content to make external requests to arbitrary Web servers beyond the hosting Web server. Since the chosen Web server then echoes back the client request unfiltered, the response also includes cookie-based or Web-based (if logged on) authentication credentials that the browser automatically sent to the specified Web application on the specified Web server.

  http://blogs.sun.com/meena/entry/disabling_trace_in_sun_java

• Disable HTTP TRACE causes error 413 instead of 501

  Hello,
  I�ve tried to disable the HTTP TRACE Method for a Webserver 6.0 SP5 Instance as described in the according SUN Solve document:
  obj.conf:
  <Object name="default">
  <Client method="TRACE">
  AuthTrans fn="set-variable" remove-headers="transfer-encoding"
  set-headers="content-length: -1" error="501"
  </Client>
  (authtrans method in one line..)
  After a Restart I got the following result:
  telnet muwebt1sn1 80
  Trying <IP-Adress>...
  Connected to muwebt1sn1.
  Escape character is '^]'.
  TRACE http://muwebt1sn1/ HTTP/1.1
  HTTP/1.1 413 Request Entity Too Large
  Server: Netscape-Enterprise/6.0
  Date: Tue, 20 Apr 2004 06:51:00 GMT
  Content-length: 168
  Content-type: text/html
  Connection: close
  <HTML><HEAD><TITLE>Request Entity Too Large</TITLE></HEAD>
  <BODY><H1>Request Entity Too Large</H1>
  A request entity is longer than the server can handle.
  </BODY></HTML>Connection closed by foreign host.
  I would have expected an error code 501 / Method not supported. Does anybody know what went wrong ?
  Thanks
  Wolfgang

  Nothing went wrong. That's the expected behaviour on 6.0 SP5.

• Java Application Server 8.1 and HTTP TRACE

  I need to disable the HTTP TRACE method on our servers with Sun Java Application Server 8.1 UR2. The following URL specifies how to disable on previous versions, but does not seem relavent to newer versions.
  http://sunsolve.sun.com/search/document.do?assetkey=1-26-576 70-1
  Any ideas?

  Please post Application Server-specific questions to the App Server forum at:
  http://swforum.sun.com/jive/forum.jspa?forumID=114
  Thanks,
  Chris

• HTTP Connection - ADAPTER.HTTP_EXCEPTION - HTTP 405 Method not allowed

  Hello,
  we are trying to connect to a server using http. However so far the connection does not work.
  I tried both the SOAP receiver (without SOAP envelope) and the plain HTTP receiver.
  1. SOAP Receiver: ADAPTER.HTTP`_EXCEPTION - HTTP 405 Method Not Allowed
  2. HTTP Receiver: HTTP Client code 400 reason ICM_HTTP_CONNECTION_FAILED
  Does anyone has an idea what the problem possibliy could be?`
  Thank you!

  Hello Folk,
  Check it once this blog this will be similar to your requirment
  HTTP 404 not found
  Regards,
  Ravi.

• Posting from  one jsp to another gives HTTP 405 "method not allowed"

  I have a servlet filter that authenticates all requests for resources in my web app. This works fine when HTTP GET requests are being used, but I notice I get a HTTP 405 "Method not allowed" when a HTTP POST is issued. Even a simple JSP page that posts to another JSP page fails with this error. If I remove the filter, everything works OK.
  The filter doesn't do anything exceptional (that I can see), other than do a redirect to use SSL if the request isn't being called on that.
  Thanks for any help.

  If you've got access to the filter code - check that it doesn't contain any conditional checking on HttpServletRequest.getMethod() or alike.
  If the only thing you need to do is to ensure the use of SSL, why don't you declare a security-constraint in you web.xml:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Ensure encryption</web-resource-name>
  <url-pattern>/</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  - J�rgen L�kke -

• Disabling the HTTP TRACE and TRACK Methods

  Greetings,
  Due to a security audit, I need to have the proxy reject requests containing the HTTP TRACE or TRACK methods. I have a proxy set up which listens on port 80 and simply redirects all requests to another proxy, which only accepts requests on 443. I thought that I would start by disabling TRACE/TRACK in the port 80 proxy. Here is a portion of my obj.conf for the port 80 proxy:
  <Object name="default">
  AuthTrans fn="match-browser" browser=".*MSIE.*" ssl-unclean-shutdown="true"
  <Client method="TRACE">
  Service fn="deny-service"
  </Client>
  <Client security="off">
  NameTrans fn="redirect" from="/" url="https://www.site.com/Site"
  </Client>
  PathCheck fn="url-check"
  ObjectType fn="block-ip"
  Service fn="deny-service"
  AddLog fn="flex-log" name="access"
  </Object>
  It seems that the server simply ignores the first <Client> tag and processes the second one. Even when I telnet to the proxy on port 80, and issue a "TRACE /" request, all it does is redirect me to www.site.com/Site. Can someone point me in the right direction here? Where is the best or proper place to intercept requests involving these methods?
  Thanks,
  Chris

  Please try moving the <Client> tag to the protocol-specific object. For example:
  <Object ppath="http://.*">
  <Client method="TRACE">
  Service fn="deny-service"
  </Client>
  Service fn="proxy-retrieve" method="*"
  </Object>

• Fix not working to disable http trace in iPlanet 6.0 SP5

  Hello.
  I'm running iPlanet web server 6.0 SP5 on Solaris 8. A recent security compliance scan disclosed a number of vulnerabilities, among them the fact that I have HTTP TRACE enabled. I applied the fix to obj.conf described at http://sunsolve6.sun.com/search/document.do?assetkey=1-26-50603-1&searchclause=security
  stopped and restarted the server, but the TRACE did not disable. The way I test this is
  <code>
  telnet server-name http-portnum
  TRACE / HTTP/1.1
  HOST:hostname
  </code>
  Rather than generating an error (501?) as it should it comes back with
  <code>
  HTTP/1.1 200 OK
  Server: Netscape-Enterprise/6.0
  Date: Fri, 13 Aug 2004 20:31:44 GMT
  Content-length: 36
  Content-type: message/http
  </code>
  In addition if , instead of TRACE / HTTP/1.1 I use the command
  <code>
  OPTIONS * HTTP/1.1
  </code>
  I get
  <code>
  HTTP/1.1 200 OK
  Server: Netscape-Enterprise/6.0
  Date: Fri, 13 Aug 2004 20:32:03 GMT
  Content-length: 0
  Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR
  </code>
  So clearly it's not disabled.
  Here is a snippet of the obj.conf file showing the inserted "fix" :
  <code>
  # Sun Netscape Alliance - obj.conf
  # You can edit this file, but comments and formatting changes
  # might be lost when the admin server makes changes.
  <Object name="default">
  <Client method="TRACE">
  AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="cont
  ent-length: -1" error="501"
  </Client>
  NameTrans fn="NSServletNameTrans" name="servlet"
  NameTrans fn="document-root" root="$docroot"
  PathCheck fn="unix-uri-clean"
  PathCheck fn="check-acl" acl="default"
  PathCheck fn="find-pathinfo"
  PathCheck fn="find-index" index-names="index.html,home.html"
  ObjectType fn="type-by-extension"
  ObjectType fn="force-type" type="text/plain"
  Service type="magnus-internal/jsp" fn="NSServletService"
  Service method="(GET|HEAD)" type="magnus-internal/imagemap" fn="imagemap"
  Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
  Service fn="shtml_send" type="magnus-internal/parsed-html" method="(GET|HEAD)"
  Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
  AddLog fn="flex-log" name="access"
  </Object>
  </code>
  Can anyone suggest why this isn't working? I've beaten this one to death. Thanks. Peter.

  1) Why would TRACE and OPTION request specifying HTTP 1.0 vs. 1.1 yield such different results?
  Web Server 6.0 only implements the TRACE and OPTIONS methods for HTTP/1.1, not HTTP/1.0. This is reasonable as TRACE and OPTIONS are part of the HTTP/1.1 protocol and not the HTTP/1.0 protocol.
  In other words, TRACE is always disabled for HTTP/1.0 requests, even if you don't use the set-variable work around.
  2) Is the OPTIONS command a legitimate test of whether this fix works? If it is, has anyone managed to have the command return an "Allow:" line MINUS the TRACE?
  Nope, not in Web Server 6.0. OPTIONS will always list TRACE. (Note that in Web Server 6.1, TRACE is not as tightly integrated into the server core. As a result, OPTIONS will conditionally list TRACE in 6.1.)
  3) Has anyone managed to generate a 501 error message after specifying TRACE / HTTP/1.1 instead of 1.0?
  Nope, not in Web Server 6.0.
  4) Does this fix really work?
  I wouldn't call it a fix; it's a work around. However, it does effectively disable TRACE. The work around is a bit of a kludge, resulting in the odd 413 status code.
  The real "fix" appears in Web Server 6.1 where you can disable TRACE simply by commenting out the Service method="TRACE" fn="service-trace" line in obj.conf.

• Disabling HTTP OPTIONS method

  Hi
  Can anyone tell me how I can disable the HTTP OPTIONS method in Sun One Web Server 6.0 SP4.
  Thanks

  1) Why would TRACE and OPTION request specifying HTTP 1.0 vs. 1.1 yield such different results?
  Web Server 6.0 only implements the TRACE and OPTIONS methods for HTTP/1.1, not HTTP/1.0. This is reasonable as TRACE and OPTIONS are part of the HTTP/1.1 protocol and not the HTTP/1.0 protocol.
  In other words, TRACE is always disabled for HTTP/1.0 requests, even if you don't use the set-variable work around.
  2) Is the OPTIONS command a legitimate test of whether this fix works? If it is, has anyone managed to have the command return an "Allow:" line MINUS the TRACE?
  Nope, not in Web Server 6.0. OPTIONS will always list TRACE. (Note that in Web Server 6.1, TRACE is not as tightly integrated into the server core. As a result, OPTIONS will conditionally list TRACE in 6.1.)
  3) Has anyone managed to generate a 501 error message after specifying TRACE / HTTP/1.1 instead of 1.0?
  Nope, not in Web Server 6.0.
  4) Does this fix really work?
  I wouldn't call it a fix; it's a work around. However, it does effectively disable TRACE. The work around is a bit of a kludge, resulting in the odd 413 status code.
  The real "fix" appears in Web Server 6.1 where you can disable TRACE simply by commenting out the Service method="TRACE" fn="service-trace" line in obj.conf.

• How to enable http trace for a mobile application??

  Hi ,
  SSO(single Sign On) is failing in my client's application.And it is an android application.So,we are not able to enable the http trace and see where its failing/where the cookie is getting wiped out. Please let me know if there is any alternative way to trace this mobile application.
  Cheers & regards
  Priyadarshini

  Interesting
  android - Capturing mobile phone traffic on wireshark - Stack Overflow
  Check if any of the method mentioned on above link helps
  To replicate the issue you can also use the emulator. Emulator can be downloaded from Android Developers

• Missing option to change HTTP request method on iView level

  Dear all,
  I am trying to implement an iView using the ApplicationIntegrator. Unfortunately I am getting the error message "Request Method POST is not allowed". I found this nice weblog where you have the option on the iView level to change the HTTP request method to "GET". Unfortunately I do not have this parameter.
  I am on EP6.0 SP 9.
  I really appreciate your help and will reward points.
  Thanks,
  Jens

  I'm not sure I fully follow what the problem is, or I'm misreading the issue.
  Just to be clear, you are in Active Directory Domains & Trusts console, you did a click on "Active Directory Domains and Trusts," and then you are saying on the left pane you are not seeing the "Raise Forest Functional Level"
  option, such as the following screenshot shows?
  I assume there is currently only one domain in the forest.
  Was there at any time another domain that was removed, such as a child domain or an additional domain tree, there was removed?
  What's the Schema version? To find it, run this without the quotes:
  "dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion"
  Schema Version Matrix:
  ============================
  Version 13 = Windows Server 2000
  Version 30 = Windows Server 2003 RTM, Windows Server 2003 with Service Pack 1, Windows Server 2003 with Service Pack 2
  Version 31 = Windows Server 2003 R2
  Version 44 = Windows Server 2008
  Version 47 = Windows Server 2008 R2
  Version 56 = Windows Server 2012 RTM
  Version 69 = Windows Server 2012 R2
  Late Edit:
  See the following link for a similar discussion:
  Unable to raise forest functional level
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/1d777261-ea53-4301-9541-3ea037245986/unable-to-raise-forest-functional-level?forum=winserverDS
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• JAX-WS -- Force a wsimport generated ws client to use http POST method

  I've used wsimport to generate a JAX-WS client for a wsdl and xsd bindings that were provided to me.
  The basic implementation goes something like this.
  URL serviceUrl = ...url to the live web service's wsdl (this will change often and needs to be data driven)
  QName qname = new QName("thenamespace", "MyService")
  MyService myService = new MyService(serviceUrl, qname);
  At this point a http GET request is sent to the server which promptly spits back a "405: method not allowed" because it is only configured to accept the http POST method.
  Unfortunately i cannot change this behavior and need a way to get the web service client to generate http POST requests.
  Setting the following seemed to have no effect.
  System.setProperty("javax.xml.ws.http.request.method", "POST");
  Thanks!

  so, keep the wsdl as a local resource and use a url for the local resource. then the service will not request the remote wsdl.

• Business Service with multiple HTTP Request Methods

  hi all -
  I'm new to OSB and trying to prototype a solution. I have a service provider that exposes a number of HTTP operations (GET/PUT/POST/DELETE). It's a JAX-RS implementation.
  I was looking to create 1 proxy service and 1 business service for that service provider. But, within my business service, I must chose a 'HTTP Request Method' and it allows only 1 type (either GET, PUT, POST, DELETE). So, I have something working, but only for a single type (POST in my prototype). I figure I could create more proxy and business services for the other HTTP Request Methods, but I'm not sure if this is the correct approach (design/architecture).
  My other thought was to create a proxy service to front the service provider, but looking at the documentation, it looks like there should be a business service for each proxy service. If it's possible to use a proxy service without a business service to mediate the service provider, where would I add my URLs for the service provider in the proxy service.
  My apologies on the 2 part architecture/design question. I thought the group would help with getting me started.
  thanks jim

  Hi,
  Frankly I dont know too much on this topic but following links may help you:
  http://help.sap.com/saphelp_nw04/helpdata/en/25/dda73e5b7a424de10000000a114084/frameset.htm
  Troubleshooting ICF: http://help.sap.com/saphelp_nw04/helpdata/en/80/b2dd3a6dac703be10000000a11405a/content.htm
  Possibly experts in this forum will be able to help you:  Application Server->Internet Transaction Server (ITS)
  Regards,
  Gourav

• ICM_HTTP_CONNECTION_FAILED error on http receive method

  Hi,
  I am trying to read a XML via http. I have developed a code referencing this blog:
  /people/rashid.javed/blog/2007/03/11/cricket-world-cup-http-client-and-simple-transformations
  When http receive method is executed it gives me an error.
  On executiong of: CALL METHOD client->receive it gives error:
  code:    400  message:  ICM_HTTP_CONNECTION_FAILED
  I treid changing host and buf in code below both to http://www.google.com to rule out the possibility of bad url. Also tried setting time out to 500 in send method. Still no luck.
  ICM trace shows following:
  Thr 4864] *** WARNING => Connection request from (16/6462/1) to host: http://www.google.com/, service: 80 failed (NIEHOST_UNKNO
  How do I solve this error, please give me some tips.
  I was looking forum for this issue but was not able to find a solution.
  Here is complete code:
  DATA: client TYPE REF TO if_http_client.
  DATA: host TYPE string.
  * DATA: proxyh TYPE string VALUE 'IfYouHave.Proxy.com',
  *      proxyp TYPE string VALUE '8080'.
  DATA: buff TYPE string,
        respd TYPE string.
  DATA: subrc TYPE sysubrc.
  CALL METHOD cl_http_client=>create
    EXPORTING
      host               = 'http://www.google.com/ig/api'
  *    SERVICE            =
  *    proxy_host         = proxyh
  *    proxy_service      = proxyp
  *    SCHEME             = SCHEMETYPE_HTTP
  *    SSL_ID             =
  *    SAP_USERNAME       =
  *    SAP_CLIENT         =
    IMPORTING
      client             = client
    EXCEPTIONS
      argument_not_found = 1
      plugin_not_active  = 2
      internal_error     = 3
      OTHERS             = 4
  IF sy-subrc <> 0.
    WRITE:/ ' cl_http_client=>create, subrc = ', sy-subrc.
    EXIT.
  * MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
  *            WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
  ELSE.
    buff = 'GET'.
    CALL METHOD client->request->set_header_field
      EXPORTING
        name  = '~request_method'
        value = buff.
    buff = 'http://www.google.com/ig/api?weather=21218&hl=en'.
    cl_http_utility=>set_request_uri( request = client->request
                                      uri     = buff ).
    subrc = cl_http_utility=>get_last_error( ).
    IF subrc <> 0.
      WRITE: / 'Wrong URI format'.
      EXIT.
    ENDIF.
  ENDIF.
  CALL METHOD client->send
  *  EXPORTING
  *    TIMEOUT                    = CO_TIMEOUT_DEFAULT
    EXCEPTIONS
      http_communication_failure = 1
      http_invalid_state         = 2
      http_processing_failed     = 3
      http_invalid_timeout       = 4
      OTHERS                     = 5
  IF sy-subrc <> 0.
    CALL METHOD client->get_last_error
      IMPORTING
        code    = subrc
        MESSAGE = buff.
    WRITE: / 'communication_error( send )',
           / 'code: ', subrc, 'message: ', buff.
    EXIT.
  ENDIF.
  CALL METHOD client->receive
    EXCEPTIONS
      http_communication_failure = 1
      http_invalid_state         = 2
      http_processing_failed     = 3
      OTHERS                     = 4.
  IF sy-subrc <> 0.
    CALL METHOD client->get_last_error
      IMPORTING
        code    = subrc
        MESSAGE = buff.
    FORMAT COLOR COL_BACKGROUND.
    WRITE: / 'communication_error( receive )',
           / 'code: ', subrc, 'message: ', buff.
    WRITE: / 'communication_error'.
    EXIT.
  ENDIF.
  respd = client->response->get_cdata(  ).
  WRITE:/ respd.
  Thanks in advance,
  CD
  Edited by: CD on Feb 19, 2009 1:46 PM

  Check this link..
  [HTTP client code 400 reason ICM_HTTP_CONNECTION_FAILED;

• How to call HTTP Post Method URL in SOA 10g

  Hi,
  I have a requirement where i need to call a HTTP Post Method, I have a URL, if i hit it in the browser, i am getting the response details. I know there is a HTTP Binding Adapter in 11g, but we are on 10g. Can anyone please let me know whether we can do it in 10g and how ?
  Thanks Always
  N

  You will need to write the WSDL by yourself. Just make sure you have the end point detail, operation name(if required) and the schema available to write the WSDL.