Ex: Re: idp 4 / jetty

Michael A Grady mgrady at unicon.net
Mon Apr 20 18:45:43 EDT 2020 

There was this issue noted about Tomcat and web.xml with similar impact:

  https://issues.shibboleth.net/jira/browse/IDP-1382 

> On Apr 20, 2020, at 5:30 PM, Paul B. Henson <henson at cpp.edu> wrote:
> 
>> From: Cantor, Scott
>> Sent: Monday, April 20, 2020 3:07 PM
>> 
>> Could be. Says that's supported since Servlet 3.0, which is old enough. You're
>> welcome to file a bug.
> 
> Cool, thanks. It looks like another option would be something like below, denying everything explicitly, then one allow with limited methods for the non-API URLs, and a separate one for the API URLs with no methods listed. Any preference for which approach would be better? Do the non-API URLs need any methods other than GET/POST enabled? Maybe HEAD?
> 
> <security-constraint>
>    <display-name>
> 	Deny everything        
>    </display-name>
>    <web-resource-collection>
>        <url-pattern>/</url-pattern>
>    </web-resource-collection>
>    <auth-constraint/>
> </security-constraint>
> 
>    <security-constraint>                                                       
>        <web-resource-collection>                                               
>            <web-resource-name>Non-API Content</web-resource-name>              
>            <url-pattern>/*</url-pattern>                                       
>            <http-method>GET</http-method>                                   
>            <http-method>POST</http-method>                                    
>        </web-resource-collection>                                                                                             
>    </security-constraint>                                                      
> 
> <security-constraint>                                             
>    <web-resource-collection>                                     
>        <web-resource-name>Administrative APIs</web-resource-name>
>        <url-pattern>/profile/admin/*</url-pattern>               
>    </web-resource-collection>                                    
>    <!-- no auth-constraint tag here -->                          
> </security-constraint>                                            
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
> ----------
> 
> This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam:
> https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1587421880-cSS0Bc1VNBfR&r_address=mgrady%40unicon.net&report=1
> 

--
Michael A. Grady
IAM Architect, Unicon, Inc.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200420/080abb0f/attachment.html>

More information about the users mailing list