警告：JACC：对于URL模式xxx，除了以下方法之外的所有方法都被发现：POST，GET [英] Warning: JACC: For the URL pattern xxx, all but the following methods were uncovered: POST, GET

问题描述

在 javax.faces .webapp.FacesServlet docs，提到，

In javax.faces.webapp.FacesServlet docs, it is mentioned,

允许的HTTP方法

JSF规范只需要使用GET和POST http
方法。如果您的Web应用程序不需要任何其他http
方法，例如PUT和DELETE，请考虑使用< http-method> 允许的http方法c $ c>和
< http-method-omission> 元素。有关使用这些元素的更多信息，请参阅Java
Servlet规范的安全性。

The JSF specification only requires the use of the GET and POST http methods. If your web application does not require any other http methods, such as PUT and DELETE, please consider restricting the allowable http methods using the <http-method> and <http-method-omission> elements. Please see the Security of the Java Servlet Specification for more information the use of these elements.

---

我的应用程序确实不依赖于其他HTTP方法（ GET 和 POST 除外）。因此，我正在尝试使用< http-method> （或< http-method-omission> ）排除除 GET 和 POST 之外的所有方法。

---

My application indeed does not depend upon other HTTP methods (except GET and POST). Therefore, I am trying to use <http-method> (or <http-method-omission>) to exclude all methods except GET and POST.

在web.xml中， JAAS Servlet安全性约束配置如下。

In web.xml, JAAS Servlet security constraints are configured as follows.

<security-constraint>
    <display-name>AdminConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>ROLE_ADMIN</web-resource-name>
        <description/>
        <url-pattern>/admin_side/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>ROLE_ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-constraint>
    <display-name>UserConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>ROLE_USER</web-resource-name>
        <description/>
        <url-pattern>/user_side/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>ROLE_USER</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

使用这些元素，

<http-method>GET</http-method>
<http-method>POST</http-method>

我希望不允许所有其他HTTP方法。

I expect that all other HTTP methods are disallowed.

然而，GlassFish Server 4.1在服务器终端上记录以下警告。

The GlassFish Server 4.1 however, logs the following warnings on the server terminal.

警告：JACC：对于URL模式 / user_side / * ，除了
之外的所有方法都被发现：POST，GET

Warning: JACC: For the URL pattern /user_side/*, all but the following methods were uncovered: POST, GET

警告：JACC：对于URL模式 / admin_side / * ，除了
之外的所有方法都被发现：POST，GET

Warning: JACC: For the URL pattern /admin_side/*, all but the following methods were uncovered: POST, GET

这是什么意思？

此外，不是在所有< security-constraint> 元素中执行此操作，而是可以全局配置，以便它可以应用于应用程序中的所有资源，所有除了 GET 和 POST 可以省略HTTP请求，即全局应用于应用程序 - 可能使用更多 generalized 专门的url-pattern，如 / * ？

Also instead of doing it in all <security-constraint> elements, can this be configured globally so that it can be applied to all resources in an application and that all except GET and POST HTTP requests can be omitted i.e. applied globally to an application - perhaps by using a more generalized specialized url-pattern like /*?

有一个例子此处。

<security-constraint>
    <display-name>WebConstraint</display-name>

    <web-resource-collection>
        <web-resource-name>test</web-resource-name>
        <description/>
        <url-pattern>/test.jsp</url-pattern>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>

    <auth-constraint>
        <description/>
        <role-name>dev</role-name>
     </auth-constraint>
</security-constraint>

上面的元素表示url
pattern /test.jsp引用的资源，当除了GET之外的所有http方法访问时，
应该被限制为仅由经过身份验证的用户查看属于角色dev的
。 请注意，安全约束
不适用于http-method GET，但仅适用于其他
方法（POST，HEAD，PUT等）。

the above element indicates that the resource referenced by the url pattern /test.jsp, when accessed by all the http-methods except GET , should be constrained to be viewed only by authenticated users belonging to the role dev. Please note that the security constraint does not apply for the http-method GET, but only for the other methods (POST, HEAD, PUT, etc).

我发现强文中的最后一句话令人困惑。这是否意味着使用 GET 请求，匿名用户可以访问给定网址格式中列出的资源 因为它意味着， 安全约束不适用于http方法GET ？

I found the last sentence in strong text confusing. Does it mean that using a GET request, resources listed in the given url-pattern are also accessible by anonymous users because it means to say, "the security constraint does not apply for the http-method GET"?

推荐答案

这是什么意思？

What does it mean?

这意味着所有方法除了GET和POST被发现，意味着不受保护。每个人都可以使用PUT和HEAD等方法访问网址格式 / user_side / * 而无需身份验证。

It means that all methods except GET and POST are uncovered, means unprotected. Everyone can access the url pattern /user_side/* with methods like PUT and HEAD without authentication.

保护其他方法添加以下内容：

To protect the other methods add the following:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>protected</web-resource-name>
        <url-pattern>/user_side/*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>POST</http-method-omission>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

如果您使用的是Servlet 3.1，您也可以使用较短的标签：

If you are using Servlet 3.1 you can also use the shorter tag:

<deny-uncovered-http-methods/>

除了在所有元素中执行此操作外，还可以
这是全局配置的，因此它可以应用于应用程序中的所有资源
，并且除了GET和POST HTTP请求之外的所有资源都可以省略
，即全局应用于应用程序 - 可能使用
a更广义的url-pattern如/ *？

Also instead of doing it in all elements, can this be configured globally so that it can be applied to all resources in an application and that all except GET and POST HTTP requests can be omitted i.e. applied globally to an application - perhaps by using a more generalized url-pattern like /*?

是的，这是可能的。您可以使用url-pattern / 来包含所有子文件夹。

Yes, this is possible. You can use the url-pattern / to include all subfolders.

我找到了强文中的最后一句令人困惑。这是否意味着
使用GET请求，给定url-pattern中列出的资源也可以由匿名用户访问
，因为它意味着
安全约束不适用于http方法GET？

I found the last sentence in strong text confusing. Does it mean that using a GET request, resources listed in the given url-pattern can also be accessible by anonymous users because it means to say, "the security constraint does not apply for the http-method GET"?

你是对的，这意味着匿名用户可以使用GET方法访问给定的url-pattern 。所有其他方法都受到保护。

You are right, it means that anonymous user can access the given url-pattern with the GET method. All other methods are protected.

参见：

• 安全约束网址和* web.xml中的字符


• 排除css& web.xml中的图像资源安全约束

• security-constraint url-pattern and the * character within web.xml
• Exclude css & image resources in web.xml Security Constraint

这篇关于警告：JACC：对于URL模式xxx，除了以下方法之外的所有方法都被发现：POST，GET的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！