[NEXUS-18712] jetty-http-redirect-to-https.xml overrides the default Jetty security filter allowing TRACE requests - Sonatype JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.14.0, 2.14.21
Fix Version/s: 3.15.0, 2.15.0
Component/s: Configuration
Labels:
- supportant

Story Points:
2

Description

By default Nexus does not allow HTTP TRACE requests.

$ curl -X TRACE -v http://localhost:8081/
*   Trying ::1...
* TCP_NODELAY set
* Connection failed
* connect to ::1 port 8081 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8081 (#0)
> TRACE / HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 403 Forbidden

However, if you add the "jetty-http-redirect-to-https.xml" file to the nexus-args in nexus.properties TRACE requests will succeed. I think this is because that configuration file is setting a new securityHandler without calling the existing one.

Attachments

Activity

People

Assignee:: Michael Bucher

Reporter:: Rich Seddon

Last Updated By:: Peter Lynch

Team:: NXRM - Morpheus

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 12/19/18 10:35 PM

Updated:: 02/16/22 02:59 PM

Resolved:: 01/07/19 09:57 PM

Date of First Response:: 21/Dec/18 3:11 PM