How can I disable HTTP TRACE in embedded untertow of a Spring boot application

Question

My goal is to DISABLE HTTP TRACE method for my spring boot application, which is using embedded undertow.

A working yaml change will be preferred, if not, code changes are fine too. The end result should ideally be 4xx HTTP response code and no cookie value in response. [spring.mvc.dispatch-trace-request: false is giving 200 OK, so it's no good for me.]

Breaking my head on this, shouldn't be this hard!

score 4 · Answer 1 · edited Jan 22 '19 at 10:53

To disable the default handling of trace in spring boot you can override the behaviour of the doTrace handler on the DispatcherServlet.

Adding this component to your spring config should do the trick. (Example is in Kotlin but you can convert to Java easily)

@Component("dispatcherServlet")
class CustomDispatcherServlet : DispatcherServlet() {

    /**
     * We want to disable the default trace behaviour of returning the response
     * so we override the trace handling and process it as normal.
     * If the application doesn't support TRACE then a HTTP 405 response will be generated.
     */
    override fun doTrace(request: HttpServletRequest, response: HttpServletResponse) {
        processRequest(request, response)
    }
}

This generates this response for a TRACE request

{
    "timestamp": "2019-01-22T10:03:46.906+0000",
    "status": 405,
    "error": "Method Not Allowed",
    "message": "TRACE method is not allowed",
    "path": "/"
}

How can I disable HTTP TRACE in embedded untertow of a Spring boot application

1 Answers1