Pete, this is one of the biggest mistakes of the servlet spec - the fact that "/" matches everything so it is difficult to block everything and allow only specific. The default mode of the servlet spec is allow everything and block the specific... which is not really very secure!
>From memory you have to put a constraint on "/", which will block everything. Then allow "" which will match "/", then allow your 4 other patterns. If that doesn't work then I'll have to check my memory. Of course the other way in embedded jetty is to just write your own handler that does a 403 or 404 for any URI other than the ones you want. cheers On 7 November 2017 at 11:24, Pete Carey <[email protected]> wrote: > Hello all. > > Embedded Jetty Question. > > What is the appropriate way to secure all endpoints *except* n endpoints? > In my case, n is 4. If it makes a difference, my subclassed DefaultServlet > serves up static content, and also handles the "/" endpoint in a particular > way, depending on the configuration of the application. > > My initial approach was: > > 1) Iterate over all of our servlets' paths (minus the 4 we want to remain > insecure) and create a constraint mapping for each, and add those to the > ConstraintSecurityHandler. > > 2) Add "/" to the ConstraintSecurityHandler. > > It appears that adding the "/" constraint mapping secures everything. > Perhaps this is according to spec; I just don't know. > > Hence my original question. How to lock everything down, except n > "path-specs"? > > Thanks in advance, and apologies if I'm missing something obvious (highly > likely). > > Pete > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users > -- Greg Wilkins <[email protected]> CTO http://webtide.com
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
