When securing some deployment, one can cover various HTTP methods for various URL resources. In case that there are some HTTP methods left uncovered, then according to the Servlet 3.1 specification in section 220.127.116.11 Handling Uncovered HTTP Methods, there is:
During application deployment, the container must inform the deployer of any
uncovered HTTP methods present in the application security constraint
configuration resulting from the combination of the constraints defined for the
application. The provided information must identify the uncovered HTTP protocol
methods, and the corresponding URL patterns at which the HTTP methods are
uncovered. The requirement to notify the deployer may be satisfied by logging the
Although when trying with attached simple app [^jboss-helloworld.war] it seems that no warning is logged at all.
NOTE: from the functional point of view this seems to be working just fine; even when I add <deny-uncovered-http-methods/> element. Therefore just low-priority set.