Glassfish can not disable the trace method witch is a security problem!
This is what the Oracle support wrote me:
I did some testing using the following CLI method because it is not possible to use the GUI to alter the admin server parameters:
#/bin/asadmin set –user admin –port 4848 server-config.http-service.http-listener.admin-listener.property.traceEnabled=false
and also tried:
#/bin/asadmin set –user admin –port 4848 server.http-service.property.traceEnabled=false
Subsequently my testing for TRACE failed to produce desired results:
# telnet devnul 4848
Trying 10.10.10.11…
Connected to devnul.
Escape character is ‘^]’.
TRACE /index.html HTTP/1.0
HTTP/1.1 200 OK
X-Powered-By: Servlet/2.5
Server: Sun GlassFish Enterprise Server v2.1.1 Patch11
Content-Type: message/http
Content-Length: 28
Date: Fri, 01 Jul 2011 14:40:21 GMT
Connection: close
TRACE /index.html HTTP/1.0
Connection to devnul closed by foreign host.
Desired result should see “Method Not Allowed”
Further investigation disclosed following existing bug:
http://java.net/jira/browse/GLASSFISH-11234
Problem is an issue with grizzly.
It is to be fixed in Glassfish 3.1
So my testing appears to agree the problem is not fixed in GF 2.1.1p11
Recommendation is to put a web server with reverse proxy in front of the GF server and disable TRACE in the web server configuration.
 
I am glad I have no glassfish out to the internet.

Tags: , , ,

1 thought on “glassfish disable trace method

  1. Hi admin I have also Glassfish version 2.1 and not able to disable trace method. So can you give me any solution that disable trace method.

Leave a Reply

Your email address will not be published. Required fields are marked *