Is there a way to prevent PUT or DELETE http methods if you're not using container managed security? If so, how?
I already have this to force the use of https: <security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- auth-constraint goes here if you requre authentication --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> What changes are needed? I tried this but it didn't seem to work: <security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> <http-method>HEAD</http-method> <---------------------------------- <http-method>PUT</http-method> <---------------------------------- <http-method>DELETE</http-method> <---------------------------------- <http-method>TRACE</http-method> <---------------------------------- <http-method>OPTIONS</http-method> <---------------------------------- </web-resource-collection> <auth-constraint> <role-name></role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Inserting these statements seems to turn off the automatic enforcement of https which was achieved with the first version. Any ideas? Thanks