I put this in my webapp's web.xml, then intent being to
allow GET and POST over https and nothing else:
<security-constraint>
<web-resource-collection>
<web-resource-name>forbidden</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
However when I try an http URL @ port 8080, i.e., a GET request,
instead of getting a 403 error as expected the URL in the browser
mutates all by itself to an https @ post 8443 and succeeds. Is
it the correct behaviour? To my reading the spec is vague as to
what exactly should happen then.
Thanks,
-- O.L.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
