Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-5865

No warning logged for uncovered HTTP methods by security constraints

    XMLWordPrintable

Details

    • Bug
    • Status: Verified (View Workflow)
    • Minor
    • Resolution: Done
    • 7.1.0.DR3
    • 7.1.0.DR10
    • Undertow
    • None

    Description

      When securing some deployment, one can cover various HTTP methods for various URL resources. In case that there are some HTTP methods left uncovered, then according to the Servlet 3.1 specification in section 13.8.4.2 Handling Uncovered HTTP Methods, there is:

      During application deployment, the container must inform the deployer of any
      uncovered HTTP methods present in the application security constraint
      configuration resulting from the combination of the constraints defined for the
      application. The provided information must identify the uncovered HTTP protocol
      methods, and the corresponding URL patterns at which the HTTP methods are
      uncovered. The requirement to notify the deployer may be satisfied by logging the
      required information.

      Although when trying with attached simple app jboss-helloworld.war it seems that no warning is logged at all.

      NOTE: from the functional point of view this seems to be working just fine; even when I add <deny-uncovered-http-methods/> element. Therefore just low-priority set.

      Attachments

        Issue Links

          Activity

            People

              rpelisse@redhat.com Romain Pelisse
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: