FAQ

[Tomcat-users] howto disable webdav extensions / methods?

Patrick Glennon
Jul 1, 2004 at 9:53 pm
How do I disable the webdav extensions? Basically, I don't want to allow
any of the webdav methods ( PROPFIND, OPTIONS, COPY, DELETE, etc... ), but I
cannot find where to disable or limit them.



This is running tomcat direct, I know how to do it with Apache, I just don't
know how to do it with tomcat.



Thanks in advance,

-P
reply

Search Discussions

7 responses

  • Bill Barker at Jul 2, 2004 at 3:21 am
    Well, firstly, unless your servlet understands the methods, nothing
    interesting will happen for a webdav request :). If you want webdav
    extensions to do anything, you have to enable them.

    Having said that, you could also disable them via adding
    security-constraints with the proper http-methods to your web.xml file.

    "Patrick Glennon" <pglennon@unifocus.com> wrote in message
    news:D8D718A8E8775A4C966C14474859899C9175D8@mail1.unifocus.com...
    How do I disable the webdav extensions? Basically, I don't want to allow
    any of the webdav methods ( PROPFIND, OPTIONS, COPY, DELETE, etc... ), but I
    cannot find where to disable or limit them.



    This is running tomcat direct, I know how to do it with Apache, I just don't
    know how to do it with tomcat.



    Thanks in advance,

    -P



    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
  • Patrick Glennon at Jul 6, 2004 at 3:02 pm
    Anyone have any thoughts on this? Maybe I'll try posting on the developer
    list, for the life of me, I can't seem to find where to shut this off.



    _____

    From: Patrick Glennon
    Sent: Thursday, July 01, 2004 4:52 PM
    To: 'Tomcat Users List'
    Subject: howto disable webdav extensions / methods?



    How do I disable the webdav extensions? Basically, I don't want to allow
    any of the webdav methods ( PROPFIND, OPTIONS, COPY, DELETE, etc... ), but I
    cannot find where to disable or limit them.



    This is running tomcat direct, I know how to do it with Apache, I just don't
    know how to do it with tomcat.



    Thanks in advance,

    -P
  • Tim Funk at Jul 6, 2004 at 3:23 pm
    How do you mean disable? The default servlet has an option to allow/disallow
    DELETE, etc.

    Oterwise - you can define a security constraint in web.xml on these methods
    and have them no be accessible by any role.

    -Tim



    Patrick Glennon wrote:
    Anyone have any thoughts on this? Maybe I'll try posting on the developer
    list, for the life of me, I can't seem to find where to shut this off.



    _____

    From: Patrick Glennon
    Sent: Thursday, July 01, 2004 4:52 PM
    To: 'Tomcat Users List'
    Subject: howto disable webdav extensions / methods?



    How do I disable the webdav extensions? Basically, I don't want to allow
    any of the webdav methods ( PROPFIND, OPTIONS, COPY, DELETE, etc... ), but I
    cannot find where to disable or limit them.



    This is running tomcat direct, I know how to do it with Apache, I just don't
    know how to do it with tomcat.
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
  • PATTUS Jean-Philippe at Jul 6, 2004 at 3:50 pm
    did you try to stop the application webdav under Tomcat Manager.
    I think if you stop this application, all the webdav methods will be
    unavailable.

    -----Message d'origine-----
    De : Tim Funk
    Envoye : mardi 6 juillet 2004 17:04
    A : Tomcat Users List
    Objet : Re: howto disable webdav extensions / methods?


    How do you mean disable? The default servlet has an option to allow/disallow

    DELETE, etc.

    Oterwise - you can define a security constraint in web.xml on these methods
    and have them no be accessible by any role.

    -Tim



    Patrick Glennon wrote:
    Anyone have any thoughts on this? Maybe I'll try posting on the developer
    list, for the life of me, I can't seem to find where to shut this off.



    _____

    From: Patrick Glennon
    Sent: Thursday, July 01, 2004 4:52 PM
    To: 'Tomcat Users List'
    Subject: howto disable webdav extensions / methods?



    How do I disable the webdav extensions? Basically, I don't want to allow
    any of the webdav methods ( PROPFIND, OPTIONS, COPY, DELETE, etc... ), but I
    cannot find where to disable or limit them.



    This is running tomcat direct, I know how to do it with Apache, I just don't
    know how to do it with tomcat.
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
  • Patrick Glennon at Jul 6, 2004 at 4:37 pm
    I tried that, and even un-deployed the webdav app, but not only are the
    methods still available, they still work. PROPFIND http://url/directory
    will still work, for example. This leads me to believe that the webdav app
    has very little to do with webdav functionality, but I can't find where else
    it is set.

    -Patrick

    -----Original Message-----
    From: PATTUS Jean-Philippe
    Sent: Tuesday, July 06, 2004 10:35 AM
    To: Tomcat Users List
    Subject: RE: howto disable webdav extensions / methods?

    did you try to stop the application webdav under Tomcat Manager.
    I think if you stop this application, all the webdav methods will be
    unavailable.

    -----Message d'origine-----
    De : Tim Funk
    Envoye : mardi 6 juillet 2004 17:04
    A : Tomcat Users List
    Objet : Re: howto disable webdav extensions / methods?


    How do you mean disable? The default servlet has an option to allow/disallow

    DELETE, etc.

    Oterwise - you can define a security constraint in web.xml on these methods
    and have them no be accessible by any role.

    -Tim



    Patrick Glennon wrote:
    Anyone have any thoughts on this? Maybe I'll try posting on the developer
    list, for the life of me, I can't seem to find where to shut this off.



    _____

    From: Patrick Glennon
    Sent: Thursday, July 01, 2004 4:52 PM
    To: 'Tomcat Users List'
    Subject: howto disable webdav extensions / methods?



    How do I disable the webdav extensions? Basically, I don't want to allow
    any of the webdav methods ( PROPFIND, OPTIONS, COPY, DELETE, etc... ), but I
    cannot find where to disable or limit them.



    This is running tomcat direct, I know how to do it with Apache, I just don't
    know how to do it with tomcat.
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
  • Mark Thomas at Jul 6, 2004 at 9:51 pm
    Patrick,

    The only code in tomcat that understands PROPFIND is the webdav servlet. I have
    justed tried using telnet to PROPFIND a resource that isn't mapped to the webdav
    servlet and I get the expected 501 response.

    What do you see if you try:
    telenet
    open localhost 8080
    PROPFIND http://localhost:8080/index.jsp HTTP/1.1

    Mark
    -----Original Message-----
    From: Patrick Glennon
    Sent: Tuesday, July 06, 2004 5:19 PM
    To: 'Tomcat Users List'
    Subject: RE: howto disable webdav extensions / methods?

    I tried that, and even un-deployed the webdav app, but not
    only are the
    methods still available, they still work. PROPFIND
    http://url/directory
    will still work, for example. This leads me to believe that
    the webdav app
    has very little to do with webdav functionality, but I can't
    find where else
    it is set.

    -Patrick

    -----Original Message-----
    From: PATTUS Jean-Philippe
    Sent: Tuesday, July 06, 2004 10:35 AM
    To: Tomcat Users List
    Subject: RE: howto disable webdav extensions / methods?

    did you try to stop the application webdav under Tomcat Manager.
    I think if you stop this application, all the webdav methods will be
    unavailable.

    -----Message d'origine-----
    De : Tim Funk
    Envoye : mardi 6 juillet 2004 17:04
    A : Tomcat Users List
    Objet : Re: howto disable webdav extensions / methods?


    How do you mean disable? The default servlet has an option to
    allow/disallow

    DELETE, etc.

    Oterwise - you can define a security constraint in web.xml on
    these methods
    and have them no be accessible by any role.

    -Tim



    Patrick Glennon wrote:
    Anyone have any thoughts on this? Maybe I'll try posting
    on the developer
    list, for the life of me, I can't seem to find where to
    shut this off.


    _____

    From: Patrick Glennon
    Sent: Thursday, July 01, 2004 4:52 PM
    To: 'Tomcat Users List'
    Subject: howto disable webdav extensions / methods?



    How do I disable the webdav extensions? Basically, I don't
    want to allow
    any of the webdav methods ( PROPFIND, OPTIONS, COPY,
    DELETE, etc... ), but
    I
    cannot find where to disable or limit them.



    This is running tomcat direct, I know how to do it with
    Apache, I just
    don't
    know how to do it with tomcat.
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
  • Patrick Glennon at Jul 7, 2004 at 4:06 pm
    You were right. I guess I didn't restart or something, but aftern
    undeploying the webdav servlet, propfind et al now return 501s...

    Thanks!
    -Patrick

    -----Original Message-----
    From: Mark Thomas
    Sent: Tuesday, July 06, 2004 4:51 PM
    To: 'Tomcat Users List'
    Subject: RE: howto disable webdav extensions / methods?

    Patrick,

    The only code in tomcat that understands PROPFIND is the webdav servlet. I
    have
    justed tried using telnet to PROPFIND a resource that isn't mapped to the
    webdav
    servlet and I get the expected 501 response.

    What do you see if you try:
    telenet
    open localhost 8080
    PROPFIND http://localhost:8080/index.jsp HTTP/1.1

    Mark
    -----Original Message-----
    From: Patrick Glennon
    Sent: Tuesday, July 06, 2004 5:19 PM
    To: 'Tomcat Users List'
    Subject: RE: howto disable webdav extensions / methods?

    I tried that, and even un-deployed the webdav app, but not
    only are the
    methods still available, they still work. PROPFIND
    http://url/directory
    will still work, for example. This leads me to believe that
    the webdav app
    has very little to do with webdav functionality, but I can't
    find where else
    it is set.

    -Patrick

    -----Original Message-----
    From: PATTUS Jean-Philippe
    Sent: Tuesday, July 06, 2004 10:35 AM
    To: Tomcat Users List
    Subject: RE: howto disable webdav extensions / methods?

    did you try to stop the application webdav under Tomcat Manager.
    I think if you stop this application, all the webdav methods will be
    unavailable.

    -----Message d'origine-----
    De : Tim Funk
    Envoye : mardi 6 juillet 2004 17:04
    A : Tomcat Users List
    Objet : Re: howto disable webdav extensions / methods?


    How do you mean disable? The default servlet has an option to
    allow/disallow

    DELETE, etc.

    Oterwise - you can define a security constraint in web.xml on
    these methods
    and have them no be accessible by any role.

    -Tim



    Patrick Glennon wrote:
    Anyone have any thoughts on this? Maybe I'll try posting
    on the developer
    list, for the life of me, I can't seem to find where to
    shut this off.


    _____

    From: Patrick Glennon
    Sent: Thursday, July 01, 2004 4:52 PM
    To: 'Tomcat Users List'
    Subject: howto disable webdav extensions / methods?



    How do I disable the webdav extensions? Basically, I don't
    want to allow
    any of the webdav methods ( PROPFIND, OPTIONS, COPY,
    DELETE, etc... ), but
    I
    cannot find where to disable or limit them.



    This is running tomcat direct, I know how to do it with
    Apache, I just
    don't
    know how to do it with tomcat.
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
    For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Related Discussions

Discussion Navigation
viewthread | post