Servlet 3.0: HTTP method exception lists in security constraints
By monzillo on Dec 16, 2008
- all HTTP methods
- all HTTP methods named in a list
- all HTTP methods other than those named in a list.
The change would be made to the deployment descriptor schema as apposed to the DTD. In this note, the proposed change (to the web-resource-collection ELEMENT) is described using DTD syntax.
<!-- The web-resource-collection element is used to identify the resources and HTTP methods on those resources to which a security constraint applies. If no HTTP methods are specified, then the security constraint applies to all HTTP methods. If HTTP methods are specified by http-method-exception elements, the security constraint applies to all methods except those identified in the collection. http-method-exception and http-method elements are never mixed in the same collection. --> <!ELEMENT web-resource-collection (web-resource-name, description?, url-pattern\*, (http-method\* | http-method-exception\*)> <!-- An http-method-exception contains the name of an HTTP method (GET | POST |...). --> <!ELEMENT http-method-exception (#PCDATA)>
Support for the use of the @RolesAllowed, @PermitAll, and @DenyAll annotations within Servlet has also been proposed for inclusion in Servlet 3.0. The change to web-resource-collection defined in this note, would facilitate the use of these security annotations. More on that in a future entry.