Ex: Re: idp 4 / jetty
Michael A Grady
mgrady at unicon.net
Mon Apr 20 18:45:43 EDT 2020
There was this issue noted about Tomcat and web.xml with similar impact:
> On Apr 20, 2020, at 5:30 PM, Paul B. Henson <henson at cpp.edu> wrote:
>> From: Cantor, Scott
>> Sent: Monday, April 20, 2020 3:07 PM
>> Could be. Says that's supported since Servlet 3.0, which is old enough. You're
>> welcome to file a bug.
> Cool, thanks. It looks like another option would be something like below, denying everything explicitly, then one allow with limited methods for the non-API URLs, and a separate one for the API URLs with no methods listed. Any preference for which approach would be better? Do the non-API URLs need any methods other than GET/POST enabled? Maybe HEAD?
> Deny everything
> <web-resource-name>Non-API Content</web-resource-name>
> <web-resource-name>Administrative APIs</web-resource-name>
> <!-- no auth-constraint tag here -->
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam:
Michael A. Grady
IAM Architect, Unicon, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users