I have seen this question come up at-least twice on the Selenium forums. So I thought I might as well just create a blog post which shows how TRACE call can be disabled in the Selenium Uber jar.
There’s no direct way of doing it. From what I have googled around, it looks like TRACE calls are disabled by default when Jetty Server runs in standalone mode but its not the case when Jetty server is run in an embedded mode [ This is the mode in which Selenium standalone runs for both grid/node roles ].
All said and done, here’s how you can have this disabled.
- Create a package named org.seleniumhq.jetty9.server
- Within this package copy paste the entire contents of “Server.java” [ this java class is available via this dependency ]
- In the locally copied version of Server.java, find the method named “org.seleniumhq.jetty9.server.Server#handle” and replace it with the below modified version.
- You will have to build a custom uber standalone jar
- For doing this, you would need to add a dependency on selenium-server [ I work with Maven, so I know of Maven only ]
- Create a standalone java class.. let’s call it LocalServer.java with a main(String[] args) method which looks like below
- Using the maven assembly plugin build an uber jar with the manifest file containing a reference to the newly created LocalServer.java class as the class containing main class.
Now when I tried invoking a Http Trace call, it got blocked and I received a 403 forbidden error.
curl -X TRACE http://localhost:4444/ <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/> <title>Error 403 </title> </head> <body> <h2>HTTP ERROR: 403</h2> Problem accessing /. Reason: <pre> TRACE is explicitly disabled.</pre> <hr /> <i><small>Powered by Jetty://</small></i> </body> </html>
public class LocalServer {
public static void main(String[] args) throws Exception {
GridLauncher.main(args);
}
}
public void handle(HttpChannel<?> connection) throws IOException, ServletException {
String target = connection.getRequest().getPathInfo();
Request request = connection.getRequest();
Response response = connection.getResponse();
if (HttpMethod.TRACE.is(request.getMethod())) {
response.sendError(403, request.getMethod() + " is explicitly disabled.");
}
if(LOG.isDebugEnabled()) {
LOG.debug(request.getDispatcherType() + " " + request.getMethod() + " " + target + " on " + connection, new Object[0]);
}
if(!HttpMethod.OPTIONS.is(request.getMethod()) && !"*".equals(target)) {
this.handle(target, request, request, response);
} else {
if(!HttpMethod.OPTIONS.is(request.getMethod())) {
response.sendError(400);
}
this.handleOptions(request, response);
if(!request.isHandled()) {
this.handle(target, request, request, response);
}
}
if(LOG.isDebugEnabled()) {
LOG.debug("RESPONSE " + target + " " + connection.getResponse().getStatus() + " handled=" + request.isHandled(), new Object[0]);
}
}
A full fledged working example can be found at : https://github.com/RationaleEmotions/selenium-server
References :
Misadventures of a castaway coder! 
Discussion
No comments yet.