users@glassfish.java.net

Re: disabling HTTP methods

From: <glassfish_at_javadesktop.org>
Date: Mon, 09 Jun 2008 14:28:27 PDT

if you want to use the portable container access control model to achieve this effect for a specific application, then you can do so by defining (in web.xml) a security-constraint containing an excluding auth-constraint (naming the methods you want to exclude).

the security-constraint would contain a web-resource-collection containing the "/*" url-pattern, and every other url-pattern appearing in a security-contraint of the application.

the web-resource-collection would list the methods you want to exclude, and the security-contraint would contain an auth-constraint naming no roles.
[Message sent by forum member 'monzillo' (monzillo)]

http://forums.java.net/jive/thread.jspa?messageID=279267