Ex: Re: idp 4 / jetty
Paul B. Henson
henson at cpp.edu
Mon Apr 20 18:30:59 EDT 2020
> From: Cantor, Scott
> Sent: Monday, April 20, 2020 3:07 PM
> Could be. Says that's supported since Servlet 3.0, which is old enough. You're
> welcome to file a bug.
Cool, thanks. It looks like another option would be something like below, denying everything explicitly, then one allow with limited methods for the non-API URLs, and a separate one for the API URLs with no methods listed. Any preference for which approach would be better? Do the non-API URLs need any methods other than GET/POST enabled? Maybe HEAD?
<!-- no auth-constraint tag here -->
More information about the users