Hi Silvio, Both the jetty unit tests and informal testing show that jetty will return an error 403 Forbidden. For example, see: https://github.com/eclipse/jetty.project/blob/master/jetty-security/src/test/java/org/eclipse/jetty/security/SpecExampleConstraintTest.java#L264
Section 13.8.4.2 of the 3.1 Servlet Spec requires that 403 Forbidden is returned for denied uncovered methods: *"When the deny-uncovered-http-methods flag is set in the web.xml of an* *application, the container must deny any HTTP protocol method when it is used* *with a request URL for which the HTTP method is uncovered at the combined* *security constraint that applies to the url-pattern that is the best match for the* *request URL. The denied request shall be rejected as forbidden and a 403* *(SC_FORBIDDEN) status code shall be returned."* Hope that helps, Jan On 14 January 2016 at 21:54, Silvio Bierman <[email protected]> wrote: > Hello all, > > I am using Jetty 9.3.6.v20151106 and use ConstraintSecurityHandler to > explicitly cover HTTP methods. I have called > securityHandler.setDenyUncoveredHttpMethods(true). > > The problem is that Jetty does not actually deny the methods with a status > 405 but instead returns an HTML page containing an error message. Security > scanners employed by several of my customers flag this as allowing > potentially harmful methods. > > How can I get Jetty to 405 uncovered methods? Do I have to cover them and > 405 them myself? > > Thanks, > > Silvio > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users > -- Jan Bartel <[email protected]> www.webtide.com *Expert assistance from the creators of Jetty and CometD*
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
