Java EE – warning: JACC: for URL pattern XXX, all methods except the following are found: post, get

Java

In javax faces. webapp. In the facesservlet document,

My application does not rely on other HTTP methods (except get and post) Therefore, I am trying to use < HTTP method > (or < HTTP method omission >) to exclude all methods except get and post

On the web XML, JAAS servlet security constraints are configured as follows

<security-constraint>
    <display-name>AdminConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>ROLE_ADMIN</web-resource-name>
        <description/>
        <url-pattern>/admin_side/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>ROLE_ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-constraint>
    <display-name>UserConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>ROLE_USER</web-resource-name>
        <description/>
        <url-pattern>/user_side/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>ROLE_USER</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Using these elements,

<http-method>GET</http-method>
<http-method>POST</http-method>

I hope not to allow all other HTTP methods

However, GlassFish Server 4.1 will log the following warnings on the server terminal

What's the meaning of this?

Instead of completing it in all < security constraint > Element, which can be configured globally so that it can be applied to all resources in the application, and all resources except get and post HTTP requests can be omitted, that is, it can be applied globally to the application - perhaps by using a more general dedicated URL pattern, such as / *?

There is an example here

I found the last sentence in Qiang Wen confusing Does this mean that anonymous users can also access the resources listed in the given URL pattern using get requests, because it means that "security constraints do not apply to HTTP method get"?

Solution

This means that all methods except get and post are discovered, meaning they are not protected Everyone can access the URL pattern / user using methods such as put and head_ Side / * without authentication

To protect other methods, add the following:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>protected</web-resource-name>
        <url-pattern>/user_side/*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>POST</http-method-omission>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

If you are using servlet 3.1, you can also use shorter Tags:

<deny-uncovered-http-methods/>

Yes, it is possible You can use URL - pattern / to include all subfolders

You are right, which means that anonymous users can use the get method to access a given URL pattern All other methods are protected

You can also see:

> security-constraint url-pattern and the * character within web. xml > Exclude css & image resources in web. xml Security Constraint

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>