svn commit: r1494926 - /tomcat/trunk/webapps/examples/WEB-INF/web.xml

Thu, 20 Jun 2013 04:04:19 -0700 

Author: markt
Date: Thu Jun 20 11:03:54 2013
New Revision: 1494926

URL: http://svn.apache.org/r1494926
Log:
Explicitly deny the uncovered methods in the examples

Modified:
    tomcat/trunk/webapps/examples/WEB-INF/web.xml

Modified: tomcat/trunk/webapps/examples/WEB-INF/web.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/web.xml?rev=1494926&r1=1494925&r2=1494926&view=diff
==============================================================================
--- tomcat/trunk/webapps/examples/WEB-INF/web.xml (original)
+++ tomcat/trunk/webapps/examples/WEB-INF/web.xml Thu Jun 20 11:03:54 2013
@@ -235,12 +235,13 @@
     </jsp-config>
 
    <security-constraint>
-      <display-name>Example Security Constraint</display-name>
+      <display-name>Example Security Constraint - part 1</display-name>
       <web-resource-collection>
-         <web-resource-name>Protected Area</web-resource-name>
+         <web-resource-name>Protected Area - Allow methods</web-resource-name>
          <!-- Define the context-relative URL(s) to be protected -->
          <url-pattern>/jsp/security/protected/*</url-pattern>
-         <!-- If you list http methods, only those methods are protected -->
+         <!-- If you list http methods, only those methods are protected so -->
+         <!-- the constraint below ensures all other methods are denied     -->
          <http-method>DELETE</http-method>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
@@ -252,6 +253,20 @@
          <role-name>role1</role-name>
       </auth-constraint>
     </security-constraint>
+   <security-constraint>
+      <display-name>Example Security Constraint - part 2</display-name>
+      <web-resource-collection>
+         <web-resource-name>Protected Area - Deny methods</web-resource-name>
+         <!-- Define the context-relative URL(s) to be protected -->
+         <url-pattern>/jsp/security/protected/*</url-pattern>
+         <http-method-omission>DELETE</http-method-omission>
+         <http-method-omission>GET</http-method-omission>
+         <http-method-omission>POST</http-method-omission>
+         <http-method-omission>PUT</http-method-omission>
+      </web-resource-collection>
+      <!-- An empty auth constraint denies access -->
+      <auth-constraint />
+    </security-constraint>
 
     <!-- Default login configuration uses form-based authentication -->
     <login-config>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to