Thanks Greg. "Of course the other way in embedded jetty is to just write your own handler that does a 403 or 404 for any URI other than the ones you want."
This is what we're doing, in a roundabout fashion. I'll keep digging. Thanks for your help! Pete On Mon, Nov 6, 2017 at 7:47 PM, Greg Wilkins <[email protected]> wrote: > > Pete, > > this is one of the biggest mistakes of the servlet spec - the fact that > "/" matches everything so it is difficult to block everything and allow > only specific. The default mode of the servlet spec is allow everything > and block the specific... which is not really very secure! > > From memory you have to put a constraint on "/", which will block > everything. Then allow "" which will match "/", then allow your 4 other > patterns. > If that doesn't work then I'll have to check my memory. > > Of course the other way in embedded jetty is to just write your own > handler that does a 403 or 404 for any URI other than the ones you want. > > cheers > > On 7 November 2017 at 11:24, Pete Carey <[email protected]> wrote: > >> Hello all. >> >> Embedded Jetty Question. >> >> What is the appropriate way to secure all endpoints *except* n endpoints? >> In my case, n is 4. If it makes a difference, my subclassed DefaultServlet >> serves up static content, and also handles the "/" endpoint in a particular >> way, depending on the configuration of the application. >> >> My initial approach was: >> >> 1) Iterate over all of our servlets' paths (minus the 4 we want to remain >> insecure) and create a constraint mapping for each, and add those to the >> ConstraintSecurityHandler. >> >> 2) Add "/" to the ConstraintSecurityHandler. >> >> It appears that adding the "/" constraint mapping secures everything. >> Perhaps this is according to spec; I just don't know. >> >> Hence my original question. How to lock everything down, except n >> "path-specs"? >> >> Thanks in advance, and apologies if I'm missing something obvious (highly >> likely). >> >> Pete >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > > > > -- > Greg Wilkins <[email protected]> CTO http://webtide.com > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
