Ex: Re: idp 4 / jetty
Paul B. Henson
henson at cpp.edu
Mon Apr 20 18:30:59 EDT 2020
> From: Cantor, Scott
> Sent: Monday, April 20, 2020 3:07 PM
>
> Could be. Says that's supported since Servlet 3.0, which is old enough. You're
> welcome to file a bug.
Cool, thanks. It looks like another option would be something like below, denying everything explicitly, then one allow with limited methods for the non-API URLs, and a separate one for the API URLs with no methods listed. Any preference for which approach would be better? Do the non-API URLs need any methods other than GET/POST enabled? Maybe HEAD?
<security-constraint>
<display-name>
Deny everything
</display-name>
<web-resource-collection>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Non-API Content</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative APIs</web-resource-name>
<url-pattern>/profile/admin/*</url-pattern>
</web-resource-collection>
<!-- no auth-constraint tag here -->
</security-constraint>
More information about the users
mailing list