fix: disable trace in web service

pulsar-broker/src/main/java/org/apache/pulsar/broker/web/WebService.java

@@ -31,6 +31,8 @@
 import org.apache.pulsar.broker.PulsarService;
 import org.apache.pulsar.broker.ServiceConfiguration;
 import org.apache.pulsar.jetty.tls.JettySslContextFactory;
+import org.eclipse.jetty.security.ConstraintMapping;
+import org.eclipse.jetty.security.ConstraintSecurityHandler;
 import org.eclipse.jetty.server.ConnectionLimit;
 import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.Server;
@@ -47,6 +49,7 @@
 import org.eclipse.jetty.servlet.ServletHolder;
 import org.eclipse.jetty.servlets.QoSFilter;
 import org.eclipse.jetty.util.resource.Resource;
+import org.eclipse.jetty.util.security.Constraint;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.glassfish.jersey.media.multipart.MultiPartFeature;
 import org.glassfish.jersey.server.ResourceConfig;
@@ -255,6 +258,7 @@ public void addServlet(String path, ServletHolder servletHolder, boolean require
         ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS);
         // Notice: each context path should be unique, but there's nothing here to verify that
         context.setContextPath(path);
+        constrainTraceMethod(context, path);
         context.addServlet(servletHolder, MATCH_ALL);
         if (attributeMap != null) {
             attributeMap.forEach((key, value) -> {
@@ -362,5 +366,17 @@ public Optional<Integer> getListenPortHTTPS() {
         }
     }
 
+    private void constrainTraceMethod(ServletContextHandler ctxHandler, String path) {
+        Constraint c = new Constraint();
+        c.setAuthenticate(true);
+        ConstraintMapping cmt = new ConstraintMapping();
+        cmt.setConstraint(c);
+        cmt.setMethod("TRACE");
+        cmt.setPathSpec(path);
+        ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
+        securityHandler.setConstraintMappings(new ConstraintMapping[] {cmt});
+        ctxHandler.setSecurityHandler(securityHandler);
+    }
+
     private static final Logger log = LoggerFactory.getLogger(WebService.class);
 }

pulsar-broker/src/test/java/org/apache/pulsar/broker/web/WebServiceTest.java

@@ -32,6 +32,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.net.HttpURLConnection;
 import java.net.URL;
 import java.security.KeyStore;
 import java.security.PrivateKey;
@@ -467,6 +468,26 @@ private void setupEnv(boolean enableFilter, String minApiVersion, boolean allowU
         }
     }
 
+    /**
+     * Using TRACE method to visit admin server, the response should be 403 forbidden
+     */
+    @Test
+    public void traceServer() throws Exception {
+        setupEnv(true, "1.0", true, false, false, false, -1, false);
+        String url = pulsar.getWebServiceAddress();
+        HttpURLConnection conn = (HttpURLConnection) new URL(url).openConnection();
+        conn.setRequestMethod("TRACE");
+        conn.connect();
+        assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
+
+
+        url = pulsar.getWebServiceAddress() + "/admin/v2/brokers/ready";
+        conn = (HttpURLConnection) new URL(url).openConnection();
+        conn.setRequestMethod("TRACE");
+        conn.connect();
+        assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
+    }
+
     @AfterMethod(alwaysRun = true)
     void teardown() {
         if (pulsar != null) {