servlet-spec
  1. servlet-spec
  2. SERVLET_SPEC-30

Configure default behavior of url pattern not covered by security constraint

    Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      If an url pattern is not covered by security-constraint, then the default behavior is "permit all".
      One would like to configure the default behavior to be "deny all".

        Activity

        Shing Wai Chan created issue -
        Hide
        gregwilkins added a comment -

        Note that this used to be very difficult to do because it was impossible to add a constraint that forbid /* and then to add other constraints that relaxed the criteria on other URIs - because it was impossible to explicitly match "/".

        Now with the "" pattern matching root, it is possible to use normal constraints to implement a deny by default and permit by specific pattern approach. So maybe we don't need a change in the spec for this.

        Show
        gregwilkins added a comment - Note that this used to be very difficult to do because it was impossible to add a constraint that forbid /* and then to add other constraints that relaxed the criteria on other URIs - because it was impossible to explicitly match "/". Now with the "" pattern matching root, it is possible to use normal constraints to implement a deny by default and permit by specific pattern approach. So maybe we don't need a change in the spec for this.
        Hide
        Shing Wai Chan added a comment -

        Add Section 13.8.4, Uncovered HTTP Protocol Methods.
        Add deny-uncovered-http-methods in web.xml schema.

        Show
        Shing Wai Chan added a comment - Add Section 13.8.4, Uncovered HTTP Protocol Methods. Add deny-uncovered-http-methods in web.xml schema.
        Shing Wai Chan made changes -
        Field Original Value New Value
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Shing Wai Chan
            Reporter:
            Shing Wai Chan
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: