https://issues.apache.org/bugzilla/show_bug.cgi?id=56568
--- Comment #3 from Konstantin Kolinko <knst.koli...@gmail.com> --- The specification requirement is not to reject, but to provide "undefined behaviour". The rejection behaviour is a security hardening. (In reply to Mark Thomas from comment #2) > 3. Check the method via an over-ridable method that could be over-riden > by invididual JSPs. I think implementing "3." means that the check is moved from org.apache.jasper.servlet.JspServlet#service(...) into org.apache.jasper.runtime.HttpJspBase#service(...) In this case there may be an alternative base class e.g. "AnyMethodHttpJspBase" and the JSP pages may be patched to use <%page extends="o.a.j.runtime.AnyMethodHttpJspBase" %> This strikes me as ugly / hacky. > 2. Add an init param to the JSP Servlet to control the default methods > supported Maybe. As a regexp? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
