[
https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12731472#action_12731472
]
Bryant Luk commented on WINK-76:
--------------------------------
One of the patterns that I've seen is for the security config to restrict
access to POST, PUT, and DELETE to some privileged user role. However, the
application code itself does not do a further check in the POST resource method
nor does the application actually use the username or any other security
related information. If there's no proxy or anything in front that changes the
HTTP method, the container would receive the GET but then Wink changes it to a
POST. Unless the developer read the documentation and knew that Wink honors
the override headers, the developer may assume this is "good enough".
Let me know if I'm totally off base, but I would like to see this behavior
default to off with it being optionally turned on via a configuration. This is
to protect against bad code since the security intent is clear even if the
application code is not doing everything it can and should.
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
