On 09/11/2012 04:14 AM, Jeff Williams wrote:
> Personally, I would rather cause some applications to break and have a
> servlet spec that's secure out of the box. But if that's not possible,
> then Ron's proposal seems right.
I was always against adding deny security in the Servlet security. The
rules are very complex already so that many people don't understand them
well, this is going to make things worse. So -1 for adding them.
Your scary sounding "verb tempering" attack is not legitimate and quite
misleading. If the Servlet is handling all HTTP methods as a GET, then
it should be protected accordingly in security constraints, without
using methods in there.
Rémy