http method in web app security

Hi everybody,

A method is specified in <http-method> element in <web-resource-collection> then, authentication be asked only if a request comes with that method. If no method is specified in <http-method> then does it mean that no resource can be accessed in that web-app. Please clarify me on this point.

does that mean that authentication will be asked for every method?

<auth-method/> --->this means no method can access that resource
no <auth-method> means any method can be used

does that mean that authentication will be asked for every method?

<http-method> describe which HTTP method are restricted for the resource.
if we put one i.e GET it means only GET is constrained but anyone in any role can access POST.
so once you specify even a single <http-method> you automatically enable any HTTP methods which you have not specified.

Now HTTP methods wont work in a servlet unless you�ve overridden the doXXX() method so if you have only doGet() in your servlet and you specify an <http-method> element for only GET, nobody can do a POST anyway, because the server knows you donot support POST.

if there is no <auth-method>

we are explicitly informing to the container that no method is constrained

this means for all the methods authentication is not required.
[ May 07, 2006: Message edited by: sudhana madhu ]

Hi Jyothi,

If you do not specify any <http-method> element than the resources with the given <url-pattern> would be constrained for all the HTTP methods.On the other hand if you do specify a <http-method> element but do not specify any HTTP method (e.g. <http-method></http-method> than all the HTTP methods would have an Unconstrained access to the specified resources.

Also if you specify this element for any one kind of HTTP method than only that method is constrained while others are Unconstrained.

I hope this clears your doubt.

Regards,
Saurabh