In javax.faces.webapp.FacesServlet
docs, it is mentioned,
Allowable HTTP Methods
The JSF specification only requires the use of the GET and POST http methods. If your web application does not require any other http methods, such as PUT and DELETE, please consider restricting the allowable http methods using the
<http-method>
and<http-method-omission>
elements. Please see the Security of the Java Servlet Specification for more information the use of these elements.
My application indeed does not depend upon other HTTP methods (except GET
and POST
). Therefore, I am trying to use <http-method>
(or <http-method-omission>
) to exclude all methods except GET
and POST
.
In web.xml, JAAS Servlet security constraints are configured as follows.
<security-constraint>
<display-name>AdminConstraint</display-name>
<web-resource-collection>
<web-resource-name>ROLE_ADMIN</web-resource-name>
<description/>
<url-pattern>/admin_side/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ROLE_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>UserConstraint</display-name>
<web-resource-collection>
<web-resource-name>ROLE_USER</web-resource-name>
<description/>
<url-pattern>/user_side/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ROLE_USER</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Using these elements,
<http-method>GET</http-method>
<http-method>POST</http-method>
I expect that all other HTTP methods are disallowed.
The GlassFish Server 4.1 however, logs the following warnings on the server terminal.
Warning: JACC: For the URL pattern
/user_side/*
, all but the following methods were uncovered: POST, GETWarning: JACC: For the URL pattern
/admin_side/*
, all but the following methods were uncovered: POST, GET
What does it mean?
Also instead of doing it in all <security-constraint>
elements, can this be configured globally so that it can be applied to all resources in an application and that all except GET
and POST
HTTP requests can be omitted i.e. applied globally to an application - perhaps by using a more generalized specialized url-pattern like /*
?
There is an example here.
<security-constraint> <display-name>WebConstraint</display-name> <web-resource-collection> <web-resource-name>test</web-resource-name> <description/> <url-pattern>/test.jsp</url-pattern> <http-method>POST</http-method> <http-method>HEAD</http-method> <http-method>PUT</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <description/> <role-name>dev</role-name> </auth-constraint> </security-constraint>
the above element indicates that the resource referenced by the url pattern /test.jsp, when accessed by all the http-methods except GET , should be constrained to be viewed only by authenticated users belonging to the role dev. Please note that the security constraint does not apply for the http-method GET, but only for the other methods (POST, HEAD, PUT, etc).
I found the last sentence in strong text confusing. Does it mean that using a GET
request, resources listed in the given url-pattern are also accessible by anonymous users because it means to say, "the security constraint does not apply for the http-method GET"?
It means that all methods except GET and POST are uncovered, means unprotected. Everyone can access the url pattern
/user_side/*
with methods like PUT and HEAD without authentication.To protect the other methods add the following:
If you are using Servlet 3.1 you can also use the shorter tag:
Yes, this is possible. You can use the url-pattern
/
to include all subfolders.You are right, it means that anonymous user can access the given url-pattern with the GET method. All other methods are protected.
See also: