Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-848

No warning logged for uncovered HTTP methods by security constraints

    XMLWordPrintable

Details

    Description

      When securing some deployment, one can cover various HTTP methods for various URL resources. In case that there are some HTTP methods left uncovered, then according to the Servlet 3.1 specification in section 13.8.4.2 Handling Uncovered HTTP Methods, there is:

      During application deployment, the container must inform the deployer of any
      uncovered HTTP methods present in the application security constraint
      configuration resulting from the combination of the constraints defined for the
      application. The provided information must identify the uncovered HTTP protocol
      methods, and the corresponding URL patterns at which the HTTP methods are
      uncovered. The requirement to notify the deployer may be satisfied by logging the
      required information.

      Although when trying with attached simple app [^jboss-helloworld.war] it seems that no warning is logged at all.

      NOTE: from the functional point of view this seems to be working just fine; even when I add <deny-uncovered-http-methods/> element. Therefore just low-priority set.

      Attachments

        Issue Links

          Activity

            People

              sdouglas1@redhat.com Stuart Douglas
              sdouglas1@redhat.com Stuart Douglas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: