DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=38221>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38221 Summary: Tomcat always returns HTTP 403/Forbidden for HTTP PUT, etc Product: Tomcat 5 Version: 5.0.28 Platform: All OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Connector:HTTP AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] I have tried several config variations, but cannot get any non-POST/GET method to succeed. I am correctly overriding each method (doPut(HttpServerRequest, HttpServletResponse), etc), in this case using a JSP (JspServlet extends Servlet). The PUT request is well formed, and I am also passing the same JSESSIONID cookie that allows access via GET. This symptom occurs with a default server config, as well as adding the below config sample to the webapp's web.xml. <security-constraint> <display-name>Example Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/*</url-pattern> <!-- If you list http methods, only those methods are protected --> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>TRACE</http-method> <http-method>OPTIONS</http-method> <http-method>HEAD</http-method> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>tomcat</role-name> <role-name>role1</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login.jsp?fail=true</form-error-page> </form-login-config> </login-config> <!-- Security roles referenced by this web application --> <security-role> <role-name>role1</role-name> </security-role> <security-role> <role-name>tomcat</role-name> </security-role> My assumption is that there is a web/server.xml or System.setProperty Security.setProperty setting that needs to be enabled, although I was not able to locate this in the documentation. PS - the above "<!-- If you list http methods, only those methods are protected -->" should be changed to "<!-- If you list http methods, only those methods are permitted -->"?? I'm not sure I undestand the current statement as it relates to mutual exlcusion of unlisted methods, as worded... -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]