On 11/09/2012 03:14, Jeff Williams wrote:
> All,
>
> I was disappointed to hear that work on the DENY semantic for uncovered
> HTTP methods hadn't progressed. I thought it was done. Here's the
> thread and I guess it just sort of died there.
> http://java.net/projects/servlet-spec/lists/jsr340-experts/archive/2012-
> 03/message/7.
As I said previously, I don't like the additional complexity this adds
either for container developers or for users trying to figure out
exactly what is going on. The issue here is one of user understanding of
a complex definition. We should be making things simpler, not more complex.
I would be all for:
- containers logging a warning when it looks like the developer has done
something odd (i.e. every time GET or POST appears in an <http-method>
element)
- better examples and clearer warnings in the specification document
- adding a reference to a Servlet specification security best practice
guide (if one exists or OWASP would like to write one)
Mark