[JACC_SPEC-1] Add support for Servlet deny uncovereed method flag Created: 13/Feb/13  Updated: 13/Feb/13

Status: Open
Project: jacc-spec
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major
Reporter: monzillo Assignee: monzillo
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


In Servlet Security Constraint configuration, HTTP methods may be left uncovered in the following
three ways:

1. a security constraint names one or more HTTP methods in http-method elements.
All methods other than those named in the constraint are uncovered.

2. a security constraint names one or more HTTP methods in http-method-omission elements.
All methods that are named in the constraint are uncovered.

3. a @ServletSecurity annotation includes one or more HttpMethodConstraint objects,
each naming an HTTP method, and the top level HTTPConstraint that applies to all other
methods is indistinct from the default value which defines no protection requirements.
This case is analogous to case 1, and all methods other than those named in the
HTTPMethodConstraint objects are uncovered by the annotation.
fwiw, The setServletSecurity api can be used to achieve an analogous effect.

Servlet has proposed the definition of an optional flag in web.xml that when set for an app,
will cause, following constraint combination, any remaining uncovered methods (resulting from
any of the above causes), to be configured as denied. This conversion is consistent with the
recommendation that all methods be covered in constraint definition.

For JACC the issue is to enhance the Policy Configuration contract to perform the processing necessary to support the new Servlet flag

Generated at Mon Nov 30 23:04:10 UTC 2015 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.