Posted by swchan2
on April 19, 2013 at 10:54 AM PDT
Servlet 3.1 Specification (JSR 340) is almost ready for the release. Several new security features have been added in this version of Servlet specification.
In this blog, I will explain one of the security features, namely deny-uncovered-http-methods.
Let us take a look at a simple
web.xml as follows:
The above snapshot of
indicates that when the
/* and http-method is GET, it is accessible only by the user with role-name "javaee". The above
does not specify the behavior of
, hence those will be accessible by
everyone. Is it what we want? If a war with the
above is deployed in GlassFish 4.0
, the following log message will be
seen in the server.log:
JACC: For the URL pattern /*, all but the following methods were uncovered: GET
Suppose we don't want any users accessing http-method other than GET. Then there are two ways to resolve this.
- We can add another
security-constraint for the above
url-pattern by defining the behaviors of all except GET http-method using
http-method-omission as follows:
This method will work for Servlet 3.0 applications.
- In Servlet 3.1, we can define
web.xml (not in
web-fragment.xml) as follows: