Warning: JACC: For the URL pattern xxx, all but the following methods were uncovered: POST, GET
Asked Answered
E

1

7

In javax.faces.webapp.FacesServlet docs, it is mentioned,

Allowable HTTP Methods

The JSF specification only requires the use of the GET and POST http methods. If your web application does not require any other http methods, such as PUT and DELETE, please consider restricting the allowable http methods using the <http-method> and <http-method-omission> elements. Please see the Security of the Java Servlet Specification for more information the use of these elements.


My application indeed does not depend upon other HTTP methods (except GET and POST). Therefore, I am trying to use <http-method> (or <http-method-omission>) to exclude all methods except GET and POST.

In web.xml, JAAS Servlet security constraints are configured as follows.

<security-constraint>
    <display-name>AdminConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>ROLE_ADMIN</web-resource-name>
        <description/>
        <url-pattern>/admin_side/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>ROLE_ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-constraint>
    <display-name>UserConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>ROLE_USER</web-resource-name>
        <description/>
        <url-pattern>/user_side/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>ROLE_USER</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Using these elements,

<http-method>GET</http-method>
<http-method>POST</http-method>

I expect that all other HTTP methods are disallowed.


The GlassFish Server 4.1 however, logs the following warnings on the server terminal.

Warning: JACC: For the URL pattern /user_side/*, all but the following methods were uncovered: POST, GET

Warning: JACC: For the URL pattern /admin_side/*, all but the following methods were uncovered: POST, GET

What does it mean?


Also instead of doing it in all <security-constraint> elements, can this be configured globally so that it can be applied to all resources in an application and that all except GET and POST HTTP requests can be omitted i.e. applied globally to an application - perhaps by using a more generalized specialized url-pattern like /*?


There is an example here.

<security-constraint>
    <display-name>WebConstraint</display-name>

    <web-resource-collection>
        <web-resource-name>test</web-resource-name>
        <description/>
        <url-pattern>/test.jsp</url-pattern>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>

    <auth-constraint>
        <description/>
        <role-name>dev</role-name>
     </auth-constraint>
</security-constraint>

the above element indicates that the resource referenced by the url pattern /test.jsp, when accessed by all the http-methods except GET , should be constrained to be viewed only by authenticated users belonging to the role dev. Please note that the security constraint does not apply for the http-method GET, but only for the other methods (POST, HEAD, PUT, etc).

I found the last sentence in strong text confusing. Does it mean that using a GET request, resources listed in the given url-pattern are also accessible by anonymous users because it means to say, "the security constraint does not apply for the http-method GET"?

Eight answered 11/12, 2014 at 19:52 Comment(1)
>JAAS security constraints are configured as follows. - those are not JAAS security constraints, but Servlet security constraints.Fallible
S
10

What does it mean?

It means that all methods except GET and POST are uncovered, means unprotected. Everyone can access the url pattern /user_side/* with methods like PUT and HEAD without authentication.

To protect the other methods add the following:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>protected</web-resource-name>
        <url-pattern>/user_side/*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>POST</http-method-omission>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

If you are using Servlet 3.1 you can also use the shorter tag:

<deny-uncovered-http-methods/>

Also instead of doing it in all elements, can this be configured globally so that it can be applied to all resources in an application and that all except GET and POST HTTP requests can be omitted i.e. applied globally to an application - perhaps by using a more generalized url-pattern like /*?

Yes, this is possible. You can use the url-pattern / to include all subfolders.

I found the last sentence in strong text confusing. Does it mean that using a GET request, resources listed in the given url-pattern can also be accessible by anonymous users because it means to say, "the security constraint does not apply for the http-method GET"?

You are right, it means that anonymous user can access the given url-pattern with the GET method. All other methods are protected.

See also:

Shetler answered 12/12, 2014 at 0:38 Comment(1)
I used <deny-uncovered-http-methods/>, since I am on Servlet 3.1. The log level was lowered to INFO and different massages were logged after these changes were made like : Info: JACC: For the URL pattern /user_side/*, all but the following methods have been excluded: POST,GET. I assume that this is a safe message and that I have done everything correctly :) Good findings. Thanks.Eight

© 2022 - 2024 — McMap. All rights reserved.