[
https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12731508#action_12731508
]
Michael Elman commented on WINK-76:
-----------------------------------
The use case is exactly as Nick described: since many firewalls don't allow PUT
or DELETE or custom HTTP methods, X-HTTP-Method-Override is used to override
the real method.
However, the client should send POST with X-HTTP-Method-Override and not GET. I
don't think we validate that it's really POST though, so technically it could
be GET.
Thinking about it, it will be a bad practice to set authorization on REST web
services using a container regardless if we decide to turn it on or off by
default:
* turning it on may cause a security exposure
* turning it off may block certain functionality (PUT, DELETE and custom)
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
