View Issue Details

IDProjectCategoryView StatusLast Update
0002616SymmetricDSImprovementpublic2016-06-10 10:22
ReportermmichalekAssigned Tommichalek 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version3.7.33 
Target Version3.7.34Fixed in Version3.7.34 
Summary0002616: Tighten up default Jetty HTTP security settings
Description1. Disallow directory listings from Jetty.
2. Disallow the OPTIONS HTTP method by default.

This change allows for 3 new properties in symmetric-server.properties:
server.allow.dir.list=true|false, default is false.

server.allow.http.methods=a comma delimited list of HTTP methods which are allowed. When specified, methods that are not in this list will be forbidden (HTTP 403). e.g. "GET,POST,HEAD". default is blank.

server.disallow.http.methods=a comma delimited list of HTTP methods which are NOT allowed. Any method on this list will always result in HTTP 403. The default value is "OPTIONS".
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Related Changesets

SymmetricDS: 3.7 e3a2d9ae

2016-06-02 16:23:09

mmichalek

Details Diff
0002616: Tighten up default Jetty HTTP security settings
0002616
mod - symmetric-core/src/main/java/org/jumpmind/symmetric/common/ServerConstants.java Diff File
mod - symmetric-server/src/main/java/org/jumpmind/symmetric/SymmetricWebServer.java Diff File
add - symmetric-server/src/main/java/org/jumpmind/symmetric/web/HttpMethodFilter.java Diff File

Issue History

Date Modified Username Field Change
2016-05-26 09:35 mmichalek New Issue
2016-05-26 09:35 mmichalek Status new => assigned
2016-05-26 09:35 mmichalek Assigned To => mmichalek
2016-06-02 16:18 mmichalek Description Updated View Revisions
2016-06-02 16:32 mmichalek Status assigned => resolved
2016-06-02 16:32 mmichalek Resolution open => fixed
2016-06-02 16:32 mmichalek Fixed in Version => 3.7.34
2016-06-02 17:00 mmichalek Changeset attached => SymmetricDS 3.7 e3a2d9ae
2016-06-10 10:22 elong Status resolved => closed