Java Reference
In-Depth Information
to those methods at the same patterns; for an example, see security constraint #5 in
the next bullet.
For example, to permit GET and POST, where POST requires authentication and
GET is permitted without constraint, you could define the following constraints:
<!-- SECURITY CONSTRAINT #3 -->
<security-constraint>
<display-name>Allow unprotected GET</display-name>
<web-resource-collection>
<url-pattern>/company/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<!-- SECURITY CONSTRAINT #4 -->
<security-constraint>
<display-name>Require authentication for POST</display-name>
<web-resource-collection>
<url-pattern>/company/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>sales</role-name>
</auth-constraint>
</security-constraint>
• The simplest way to ensure that you deny all HTTP methods except those that you
want to be permitted is to use
http-method-omission
elements to omit those
HTTP methods from the security constraint, and also to define an
auth-con-
straint
that names no roles. The security constraint will apply to all methods
except those that were named in the omissions, and the constraint will apply only
to the resources matched by the patterns in the constraint.
For example, the following constraint excludes access to all methods except GET
and POST at the resources matched by the pattern
/company/*
:
<!-- SECURITY CONSTRAINT #5 -->
<security-constraint>
<display-name>Deny all HTTP methods except GET and
POST</display-name>
<web-resource-collection>