Sorry about the scary sounding name. I'm not particularly a fan of the way vulnerabilities get named either.
But it is a legitimate attack -- and what's misleading is the spec!
Of course it's because the constraint is misconfigured. That's the point. Every developer I've talked with thinks that adding methods ensures that *only* those methods can be used. Even the example *in the spec* seems to support that interpretation. That's what they *want* - the ability to restrict access to a small known set of methods. And yes, most of the time they can make their app safe by removing the methods. But they still don't get exactly what they want.
How many people do you think search for "web.xml security-constraint" and click on the first article...
http://java.dzone.com/articles/understanding-web-security
--Jeff
-----Original Message-----
From: Rémy Maucherat [mailto:rmaucher_at_redhat.com]
Sent: Tuesday, September 11, 2012 4:04 AM
To: jsr340-experts_at_servlet-spec.java.net
Subject: [jsr340-experts] Re: Digest for list jsr340-experts_at_servlet-spec.java.net
On 09/11/2012 04:14 AM, Jeff Williams wrote:
> Personally, I would rather cause some applications to break and have a
> servlet spec that's secure out of the box. But if that's not
> possible, then Ron's proposal seems right.
I was always against adding deny security in the Servlet security. The rules are very complex already so that many people don't understand them well, this is going to make things worse. So -1 for adding them.
Your scary sounding "verb tempering" attack is not legitimate and quite misleading. If the Servlet is handling all HTTP methods as a GET, then it should be protected accordingly in security constraints, without using methods in there.
Rémy