users@servlet-spec.java.net

[servlet-spec users] [jsr340-experts] Configuring DENY semantic for uncovered HTTP Methods

From: Bill Shannon <bill.shannon_at_oracle.com>
Date: Wed, 30 Jan 2013 12:19:33 -0800

Some time ago Oracle proposed a new Servlet option to change the default
semantic for uncovered HTTP methods from ALLOW to DENY. This proposal
was meant to address a potential security issue in the Servlet spec
pointed out by Jeff Williams of Aspect Security and OWASP.

While proper use of the Servlet security options results in no security
issues, it's far too easy to use the Servlet security options improperly.
This proposal addresses an "ease of use" issue related to security, not
a correctness issue.

My understanding is that many members of the Servlet expert group rejected
this proposal, because there is no actual security hole that this fixes,
and because the fix seemed to make the security model more complex.

I raised this issue in the Java EE platform expert group for discussion.
Many experts felt strongly that this is a real issue that should be
addressed in the Servlet spec, and that the proposed solution was an
appropriate way to address the issue. No one in the platform expert
group objected to the proposed solution.

I'm sure you're aware that security issues in the Java platform are
receiving additional attention lately. While addressing this issue
is only one small step, we and others feel it is an important one.
Unless a technical flaw is discovered in the proposed approach, we
intend to include this in Servlet 3.1.

Thank you.

        Bill Shannon
        Java EE Spec Lead