Is there a way to prevent PUT or DELETE http methods if you're not using
container managed security? If so, how?
I already have this to force the use of https:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
What changes are needed? I tried this but it didn't seem to work:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>HEAD</http-method> <----------------------------------
<http-method>PUT</http-method> <----------------------------------
<http-method>DELETE</http-method> <----------------------------------
<http-method>TRACE</http-method> <----------------------------------
<http-method>OPTIONS</http-method> <----------------------------------
</web-resource-collection>
<auth-constraint>
<role-name></role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Inserting these statements seems to turn off the automatic enforcement of https
which was achieved with the first version.
Any ideas? Thanks
