Whitelist security constraint in web.xml

New feature of Java EE 6 which simplifies security configuration of applications. You can now whitelist versus blacklist allowed HTTP methods in your web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Disable unneeded HTTP methods by 403 Forbidden them</web-resource-name>
        <url-pattern>*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>HEAD</http-method-omission>
        <http-method-omission>POST</http-method-omission>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

Reference: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html#6nmq2cpkb


I would try the following:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <!-- no auth-constraint tag here -->
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
   <auth-constraint/>
</security-constraint>

The first security-constraint does not have any auth-constraint, so the GET and POST methods are available to anyone without login. The second restricts other http methods for everybody. (I haven't tried it.)


A slight tweak to the accepted answer (set the url-pattern in the second security-constraint to map to the default servlet "/") works for JBoss and Weblogic but not for Websphere:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Allowed methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <!-- no auth-constraint tag here -->
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted methods</web-resource-name>
        <url-pattern>/</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

With the security constraints configuration above, I'm not sure why Websphere allows all HTTP methods, while JBoss and Weblogic only allows GET and POST.