Ron Monzillo's Weblog

     
 
« Prelude includes... | Main | Defining Security... »

16 Dec · Tue 2008

Servlet 3.0: HTTP method exception lists in security constraints


In a related post, Servlet Security Constraints - summary and recommendations, I described recommendations and best practices for defining security constraints. Recommendation 3 in that post was defined to deal with a problem in the constraint grammar that was introduced when Servlet adopted support for HTTP extension methods (that is, when the universe of supported HTTP methods became non-enumerable). The problem is that it is difficult to define a security constraint on, for example, all HTTP methods except GET and POST. The Servlet EG has proposed a change to Servlet 3.0 to address this problem. According to the change, the web-resource-collection element that is used to target security constraints will be changed to make it easy to target a security constraint to any of the following;
  • all HTTP methods
  • all HTTP methods named in a list
  • all HTTP methods other than those named in a list.

The change would be made to the deployment descriptor schema as apposed to the DTD. In this note, the proposed change (to the web-resource-collection ELEMENT) is described using DTD syntax. 


    <!--  The web-resource-collection element is used to identify 
    the resources and HTTP methods on those resources to which a security 
    constraint applies. If no HTTP methods are specified, then the security 
    constraint applies to all HTTP methods. If HTTP methods are specified by 
    http-method-exception elements, the security constraint applies to all 
    methods except those identified in the collection. http-method-exception 
    and http-method elements are never mixed in the same collection. -->

    <!ELEMENT web-resource-collection 
                (web-resource-name, description?, url-pattern*, 
                 (http-method* | http-method-exception*)> 

    <!-- An http-method-exception contains the name of an HTTP 
    method (GET | POST |...). -->

    <!ELEMENT http-method-exception (#PCDATA)>

Support for the use of the @RolesAllowed, @PermitAll, and @DenyAll annotations within Servlet has also been proposed for inclusion in Servlet 3.0. The change to web-resource-collection defined in this note, would facilitate the use of these security annotations. More on that in a future entry.

Posted by monzillo @ 01:53 PM EST [ Comments [0] ]
 
 
 
 
Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
 

« December 2009
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today

[This is a Roller site]
Theme by Rowell Sotto.
 
© monzillo