On 28/01/2022 13:28, Jasvant Singh wrote: <snip/>
The HttpHeaderSecurityFilter works for all URLs except the pattern provided in <security-constraints> setting.
That is expected. Security constraints are applied before the control is passed to the web application.
<snip/>
Any help is really appreciated.
Is this really an issue? Do you actually need those headers on a 403 response? Keep in mind any 4xx response is going to result in the connection being closed.
If you have a genuine need for those headers on all responses, you'll need to re-architect your application. You'll need to remove all container provided security and implement it in the web application. If you do this I strongly recommend you use one of the existing security libraries rather than trying to implement it from scratch.
Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org