[SERVLET_SPEC-30] Configure default behavior of url pattern not covered by security constraint Created: 17/Jan/12  Updated: 05/Mar/13  Resolved: 05/Mar/13

Status: Resolved
Project: servlet-spec
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major
Reporter: Shing Wai Chan Assignee: Shing Wai Chan
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


If an url pattern is not covered by security-constraint, then the default behavior is "permit all".
One would like to configure the default behavior to be "deny all".

Comment by gregwilkins [ 31/Jan/12 ]

Note that this used to be very difficult to do because it was impossible to add a constraint that forbid /* and then to add other constraints that relaxed the criteria on other URIs - because it was impossible to explicitly match "/".

Now with the "" pattern matching root, it is possible to use normal constraints to implement a deny by default and permit by specific pattern approach. So maybe we don't need a change in the spec for this.

Comment by Shing Wai Chan [ 05/Mar/13 ]

Add Section 13.8.4, Uncovered HTTP Protocol Methods.
Add deny-uncovered-http-methods in web.xml schema.

Generated at Sat Aug 27 03:25:06 UTC 2016 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.