0002616: Tighten up default Jetty HTTP security settings - SymmetricDS

ID	Project	Category	View Status	Date Submitted	Last Update

0002616	SymmetricDS	Improvement	public	2016-05-26 13:35	2016-06-10 14:22

Reporter	mmichalek	Assigned To	mmichalek
Priority	normal
Status	closed	Resolution	fixed
Product Version	3.7.33
Target Version	3.7.34	Fixed in Version	3.7.34

Summary	0002616: Tighten up default Jetty HTTP security settings
Description	1. Disallow directory listings from Jetty. 2. Disallow the OPTIONS HTTP method by default. This change allows for 3 new properties in symmetric-server.properties: server.allow.dir.list=true\|false, default is false. server.allow.http.methods=a comma delimited list of HTTP methods which are allowed. When specified, methods that are not in this list will be forbidden (HTTP 403). e.g. "GET,POST,HEAD". default is blank. server.disallow.http.methods=a comma delimited list of HTTP methods which are NOT allowed. Any method on this list will always result in HTTP 403. The default value is "OPTIONS".
Tags	No tags attached.

SymmetricDS: 3.7 e3a2d9ae 2016-06-02 16:23:09 mmichalek Details Diff	0002616: Tighten up default Jetty HTTP security settings	Affected Issues 0002616
	mod - symmetric-core/src/main/java/org/jumpmind/symmetric/common/ServerConstants.java	Diff File
	mod - symmetric-server/src/main/java/org/jumpmind/symmetric/SymmetricWebServer.java	Diff File
	add - symmetric-server/src/main/java/org/jumpmind/symmetric/web/HttpMethodFilter.java	Diff File

Date Modified	Username	Field	Change
2016-05-26 13:35	mmichalek	New Issue
2016-05-26 13:35	mmichalek	Status	new => assigned
2016-05-26 13:35	mmichalek	Assigned To	=> mmichalek
2016-06-02 20:18	mmichalek	Description Updated	View Revisions
2016-06-02 20:32	mmichalek	Status	assigned => resolved
2016-06-02 20:32	mmichalek	Resolution	open => fixed
2016-06-02 20:32	mmichalek	Fixed in Version	=> 3.7.34
2016-06-02 21:00	mmichalek	Changeset attached	=> SymmetricDS 3.7 e3a2d9ae
2016-06-10 14:22	elong	Status	resolved => closed