Servlet 3.1 Specification (JSR 340) is almost ready for the release. Several new security features have been added in this version of Servlet specification. In this blog, I will explain one of the security features, namely deny-uncovered-http-methods. Let us take a look at a simple security-constraint inweb.xml as follows: <web-app xmlns="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="3.1" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"> <servlet> <servlet-name>TestServlet</servlet-name> <servlet-class>TestServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>TestServlet</servlet-name> <url-pattern>/myurl</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>protected</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>javaee</role-name> </auth-constraint> </security-constraint> </web-app> The above snapshot of web.xml indicates that when theurl-pattern /* and http-method is GET, it is accessible only by the user with role-name "javaee". The abovesecurity-constraint does not specify the behavior ofhttp-method other than GET, hence those will be accessible by everyone. Is it what we want? If a war with the web.xml above is deployed in GlassFish 4.0, the following log message will be seen in the server.log:
JACC: For the URL pattern /*, all but the following methods were uncovered: GET
Suppose we don't want any users accessing http-method other than GET. Then there are two ways to resolve this.
We can add another security-constraint for the above url-pattern by defining the behaviors of all except GET http-method using http-method-omission as follows: <security-constraint> <web-resource-collection> <web-resource-name>protected</web-resource-name> <url-pattern>/*</url-pattern> <http-method-omission>GET</http-method-omission> </web-resource-collection> <auth-constraint/> </security-constraint> This method will work for Servlet 3.0 applications.
In Servlet 3.1, we can definedeny-uncovered-http-methods in web.xml(not in web-fragment.xml) as follows:<deny-uncovered-http-methods/>