Skip to main content

Disable HTTP TRACE

13 replies [Last post]
bmw01281991
Offline
Joined: 2009-11-23

I am using a web security analyzer tool: nikto.
When I scan GlassFish on my local box, it says HTTP TRACE is enabled.
When I add the property "traceEnabled" and set it to "false", nikto still reports that HTTP TRACE is enabled.
Is this the correct way to disable HTTP TRACE?

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
bmw01281991
Offline
Joined: 2009-11-23

in GlassFish's admin console, there is a menu item http-service.
i added the property and value there.
previously, i added the property and value to the http-listener, which was wrong

drumik
Offline
Joined: 2009-12-03

So I don't need to set this property for virtual servers?

Jan Luehe

On 12/03/09 10:27, glassfish@javadesktop.org wrote:
> So I don't need to set this property for virtual servers?
>

Correct, this configuration aspect is not supported at the
virtual-server level.

Jan

> [Message sent by forum member 'drumik' ]
>
> http://forums.java.net/jive/thread.jspa?messageID=374604
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

drumik
Offline
Joined: 2009-12-03

I don't know what to tell you. As per Nessus Scan trace is still enabled

see below output from domain.xml




-


-






Shing Wai Chan

Hi,
The configuration below is not for GlassFish v3.
Are you using GlassFish v3? I have verified that it works there when the
container starts (for instance, when there is at least one war in the
server.)
Note that in v3, you have to set trace-enabled differently.
asadmin set
configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled=true
Regards,
Shing Wai Chan

glassfish@javadesktop.org wrote:
> I don't know what to tell you. As per Nessus Scan trace is still enabled
>
> see below output from domain.xml
>
>
>
>
> -
>
>
>
>

> -
>
>
>
>

>
>
>
>
>
>
>
>

> [Message sent by forum member 'drumik' ]
>
> http://forums.java.net/jive/thread.jspa?messageID=374769
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

drumik
Offline
Joined: 2009-12-03

I'm using 2.1

drumik
Offline
Joined: 2009-12-03

Let me give you a little bit more background on my current setup.

I’m running Glassfish in production as well as testing environments. In the testing I just download latest stable version (2.1) and install using defaults.
I tried disabling http trace using GUI as well as editing “domain.xml” but every time I’m scanning the server using Nessus I’m detecting that Trace/Track is enabled.
See below ouput from domain.xml

Any advice is appreciated

Thank you









"JBI Framework LifecycleModule"








































































-XX:MaxPermSize=192m
-client
-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed
-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Dsun.rmi.dgc.server.gcInterval=3600000
-Dsun.rmi.dgc.client.gcInterval=3600000
-Xmx512m
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks
-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib
-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver
-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder
-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory
-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar
-Dcom.sun.enterprise.taglisteners=jsf-impl.jar
-XX:NewRatio=2


















drumik
Offline
Joined: 2009-12-03

What is I modify web.xml file in put something like this in the bottom. Logically thinking I suppose to be able to block trace and options. Correct me if I'm wrong
Thank you



Blocked
/*
OPTIONS
TRACE
TRACE


Blocked
Blocked


Blocked
Blocked

Shing Wai Chan

glassfish@javadesktop.org wrote:
> I am using a web security analyzer tool: nikto.
> When I scan GlassFish on my local box, it says HTTP TRACE is enabled.
> When I add the property "traceEnabled" and set it to "false", nikto still reports that HTTP TRACE is enabled.
> Is this the correct way to disable HTTP TRACE?
>
Do you set the property under http-service?
Shing Wai Chan
> [Message sent by forum member 'bmw01281991' ]
>
> http://forums.java.net/jive/thread.jspa?messageID=373057
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

bmw01281991
Offline
Joined: 2009-11-23

I see where you are saying to set this property, thanks, it worked.
I was setting in the http-listener area.

drumik
Offline
Joined: 2009-12-03

Where did you changed it?

right under http-listener ?
Or under vrtual server?
File name domain.xml ?

Thanks

Anissa Lam

[att1.html]

anilam
Offline
Joined: 2005-03-29

I don't know why my reply becomes an attachment. Just copy it here again.
I am also attaching the 2 screenshot for v3.

If you are using GlassFish v2, you need to set the property "traceEnabled" to "true" or "false" under .
Here is the reference documentation that lists out all the property name for http-service. http://docs.sun.com/app/docs/doc/820-4338/abhcq?a=view

If you are using GlassFish v3, you don't need to dig out the property names. They are now attributes under element which is under
. The attribute name is "trace-enabled" and default to "true" as well.

Here is the instruction for changing this in v3:

Using Admin Console:
expand Configuration -> Network Config -> Network Listeners
Click the listener name that you want to configure.
You can then change the Trace Enabled checkbox under the HTTP Tab.
I will attach a screenshot.

Using CLI
You need to find out the name of the protocol that your listener is using. The following example shows you how to get the current setting and change it to false. By default, Trace is enabled.
Note: you need the protocol name, the example below says "http-listener-1" only because the Name of the protocol is "http-listener-1".

%./asadmin get configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled
configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled=true

Command get executed successfully.

%./asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled=false
configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled=false

Command set executed successfully.

Hope this help.
Anissa.