If you are using a WebAppContext, then the ConstraintSecurityHandler can be used.
Joakim Erdfelt / [email protected] On Fri, Jan 15, 2016 at 4:59 AM, Silvio Bierman <[email protected] > wrote: > Hello Jan, > > Thanks for the reply. At least I now know that Jetty would deny with an > HTTP status instead of an error page, which probably means the methods are > not blocked properly. > > I was so stupid not to mention that I am using Jetty in embedded mode. I > do not use the web-application stuff nor do I have a web.xml. I must be > doing something wrong with my embedding code. I will dive into this and > come back here if I have questions. > > Cheers, > > Silvio > > > > On 01/15/2016 03:16 AM, Jan Bartel wrote: > > Hi Silvio, > > Both the jetty unit tests and informal testing show that jetty will return > an error 403 Forbidden. For example, see: > https://github.com/eclipse/jetty.project/blob/master/jetty-security/src/test/java/org/eclipse/jetty/security/SpecExampleConstraintTest.java#L264 > > Section 13.8.4.2 of the 3.1 Servlet Spec requires that 403 Forbidden is > returned for denied uncovered methods: > > *"When the deny-uncovered-http-methods flag is set in the web.xml of an* > *application, the container must deny any HTTP protocol method when it is > used* > *with a request URL for which the HTTP method is uncovered at the combined* > *security constraint that applies to the url-pattern that is the best > match for the* > *request URL. The denied request shall be rejected as forbidden and a 403* > > *(SC_FORBIDDEN) status code shall be returned." * > > Hope that helps, > Jan > > On 14 January 2016 at 21:54, Silvio Bierman <[email protected]> > wrote: > >> Hello all, >> >> I am using Jetty 9.3.6.v20151106 and use ConstraintSecurityHandler to >> explicitly cover HTTP methods. I have called >> securityHandler.setDenyUncoveredHttpMethods(true). >> >> The problem is that Jetty does not actually deny the methods with a >> status 405 but instead returns an HTML page containing an error message. >> Security scanners employed by several of my customers flag this as allowing >> potentially harmful methods. >> >> How can I get Jetty to 405 uncovered methods? Do I have to cover them and >> 405 them myself? >> >> Thanks, >> >> Silvio >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > > > > -- > Jan Bartel <[email protected]> > <http://www.webtide.com>www.webtide.com > *Expert assistance from the creators of Jetty and CometD* > > > > _______________________________________________ > jetty-users mailing [email protected] > To change your delivery options, retrieve your password, or unsubscribe from > this list, visithttps://dev.eclipse.org/mailman/listinfo/jetty-users > > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
