idp 4 / jetty
Paul B. Henson
henson at cpp.edu
Sun Apr 19 21:40:28 EDT 2020
I'm working on upgrading to idp 4, and also switching from tomcat to
jetty along the way. I see this warning in the logs when starting the
idp:
2020-04-19 18:30:21,801 - WARN [org.eclipse.jetty.security.SecurityHandler:757] - ServletContext at o.e.j.w.WebAppContext@7c51f34b{Shibboleth Identity Provider,/idp,[file:///var/lib/jetty/tmp/jetty-127_0_0_1-80-idp_war-_idp-any-8922624869478006441.dir/webinf/, jar:file:///opt/shibboleth-idp/war/idp.war!/],STARTING}{/opt/shibboleth-idp/war/idp.war} has uncovered http methods for path: /*
The idp has the following security-constraint's enabled in web.xml.
My understanding is this warning occurs because some things are
explicitly blocked, while others are implicitly allowed? And to just
ignore it. I'm not that familiar with this area and was just curious
if there was an easy way to explicitly allow the converse of what's
explicitly denied so jetty doesn't complain about it.
Thanks...
<!-- Block commonly flagged methods by using an empty auth-constraint. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Non-API Content</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>PATCH</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<!-- Allow any HTTP methods to the API flows. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative APIs</web-resource-name>
<url-pattern>/profile/admin/*</url-pattern>
</web-resource-collection>
<!-- no auth-constraint tag here -->
</security-constraint>
--
Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
Operating Systems and Network Analyst | henson at cpp.edu
California State Polytechnic University | Pomona CA 91768
More information about the users
mailing list