2011/3/7 Olivier Lefevre <lefev...@yahoo.com>: > I put this in my webapp's web.xml, then intent being to > allow GET and POST over https and nothing else: > > <security-constraint> > <web-resource-collection> > <web-resource-name>forbidden</web-resource-name> > <url-pattern>/*</url-pattern> > <http-method>HEAD</http-method> > <http-method>PUT</http-method> > <http-method>DELETE</http-method> > <http-method>OPTIONS</http-method> > <http-method>TRACE</http-method> > </web-resource-collection> > <auth-constraint/> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>secure</web-resource-name> > <url-pattern>/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > However when I try an http URL @ port 8080, i.e., a GET request, > instead of getting a 403 error as expected the URL in the browser > mutates all by itself to an https @ post 8443 and succeeds. Is > it the correct behaviour? To my reading the spec is vague as to > what exactly should happen then.
Why do you forbid HEAD? IMHO it should have the same constraints as GET, because browsers use them together. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
