Severe security constraints while tomcat 8 startup

2020-07-10 06:22发布

站内问答 / 后端开发
1357 1 4

I am getting the below severe message while the tomcat 8 comes up with liferay.

SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/bg/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
03-Sep-2015 07:06:00.733 SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/sv/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
03-Sep-2015 07:06:00.733 SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/zh/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.

This does not have any impact on server start up but not sure what is causing this? Any help would really appreciated.

1条回答
手持菜刀,她持情操
2楼-- · 2020-07-10 06:49

It means that in web.xml someone has specified a security constraint just for methods POST and GET on pattern /bg/c/portal/protected, possibly in a similar way to this:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/bg/c/portal/protected</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>...</transport-guarantee>
    </user-data-constraint>
</security-constraint>

You should either remove http-method brackets so it will match all methods for this url-pattern or create second one if you would like to set different security constraints on it without any http-method brackets.

For instance if you would like to secure with SSL /bg/c/portal/protected endpoint for the POST and GET methods, but for others you do not need that then you should create a config like this:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/bg/c/portal/protected</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <url-pattern>/bg/c/portal/protected</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

As you see now all methods for this pattern are covered, hence no error will be thrown.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)