For TC 5.x.x, you need two security-constraints to do what you want. One of them looks like your first example, and the other like your second example (except that you probably want <auth-constraint />, which is "deny all", instead of <role-name/> which is deny to all but the blank role). Since you are forbidding all access, you could also drop the <user-data-constraint> on the second one (since with it, TC will first redirect a PUT to SSL, and then deny it).
"Ted Anagnost" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Is there a way to prevent PUT or DELETE http methods if you're not using container managed security? If so, how? I already have this to force the use of https: <security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- auth-constraint goes here if you requre authentication --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> What changes are needed? I tried this but it didn't seem to work: <security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> <http-method>HEAD</http-method> <---------------------------------- <http-method>PUT</http-method> <---------------------------------- <http-method>DELETE</http-method> <---------------------------------- <http-method>TRACE</http-method> <---------------------------------- <http-method>OPTIONS</http-method> <---------------------------------- </web-resource-collection> <auth-constraint> <role-name></role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Inserting these statements seems to turn off the automatic enforcement of https which was achieved with the first version. Any ideas? Thanks --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]