How can I disable HTTP TRACE in embedded untertow of a Spring boot application

Question

My goal is to DISABLE HTTP TRACE method for my spring boot application, which is using embedded undertow.

A working yaml change will be preferred, if not, code changes are fine too. The end result should ideally be 4xx HTTP response code and no cookie value in response. [spring.mvc.dispatch-trace-request: false is giving 200 OK, so it's no good for me.]

Breaking my head on this, shouldn't be this hard!

Answer 1

To disable the default handling of trace in spring boot you can override the behaviour of the doTrace handler on the DispatcherServlet.

Adding this component to your spring config should do the trick. (Example is in Kotlin but you can convert to Java easily)

@Component("dispatcherServlet")
class CustomDispatcherServlet : DispatcherServlet() {

    /**
     * We want to disable the default trace behaviour of returning the response
     * so we override the trace handling and process it as normal.
     * If the application doesn't support TRACE then a HTTP 405 response will be generated.
     */
    override fun doTrace(request: HttpServletRequest, response: HttpServletResponse) {
        processRequest(request, response)
    }
}

This generates this response for a TRACE request

{
    "timestamp": "2019-01-22T10:03:46.906+0000",
    "status": 405,
    "error": "Method Not Allowed",
    "message": "TRACE method is not allowed",
    "path": "/"
}

Answer 2

java version of Jacob's answer

@Component("dispatcherServlet")
public class CustomDispatcherServlet extends DispatcherServlet {

    @Override
     public void doTrace(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        processRequest(request, response);
    }
}