Only allow GET and PUT methods in web.xml:
<!-- allows get and put to roles root,guest,user -->
<security-constraint>
<web-resource-collection>
<web-resource-name>DAV resource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>root</role-name>
<role-name>guest</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<!-- disallows all other methods because no role-names listed in
auth-constraint -->
<security-constraint>
<web-resource-collection>
<web-resource-name>DAV resource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>COPY</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>LOCK</http-method>
<http-method>MKCOL</http-method>
<http-method>MOVE</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
<http-method>PROPFIND</http-method>
<http-method>PROPPATCH</http-method>
<http-method>UNLOCK</http-method>
<http-method>VERSION-CONTROL</http-method>
<http-method>REPORT</http-method>
<http-method>CHECKIN</http-method>
<http-method>CHECKOUT</http-method>
<http-method>UNCHECKOUT</http-method>
<http-method>MKWORKSPACE</http-method>
<http-method>UPDATE</http-method>
<http-method>LABEL</http-method>
<http-method>MERGE</http-method>
<http-method>BASELINE-CONTROL</http-method>
<http-method>MKACTIVITY</http-method>
<http-method>ACL</http-method>
<http-method>SEARCH</http-method>
<http-method>BIND</http-method>
<http-method>UNBIND</http-method>
<http-method>REBIND</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
At least this is the behavior that this DTD describes
http://java.sun.com/dtd/web-app_2_3.dtd
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
