Details
-
Bug
-
Resolution: Done
-
Minor
-
None
-
None
-
None
Description
When securing some deployment, one can cover various HTTP methods for various URL resources. In case that there are some HTTP methods left uncovered, then according to the Servlet 3.1 specification in section 13.8.4.2 Handling Uncovered HTTP Methods, there is:
During application deployment, the container must inform the deployer of any
uncovered HTTP methods present in the application security constraint
configuration resulting from the combination of the constraints defined for the
application. The provided information must identify the uncovered HTTP protocol
methods, and the corresponding URL patterns at which the HTTP methods are
uncovered. The requirement to notify the deployer may be satisfied by logging the
required information.
Although when trying with attached simple app [^jboss-helloworld.war] it seems that no warning is logged at all.
NOTE: from the functional point of view this seems to be working just fine; even when I add <deny-uncovered-http-methods/> element. Therefore just low-priority set.
Attachments
Issue Links
- clones
-
-
- Verified
-