Hello,
I have already post my request on the jetty list, but someone here may be able help me.
I am using JBoss-2.4.4 Jetty-3.1.3-1.
I am trying to prevent access to all the pages in my site except the html pages. I have tried the following configuration but it does not seems to work.
<security-constraint>
<display-name>allow html</display-name>
<web-resource-collection>
<url-pattern>*.html</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<display-name>deny all</display-name>
<web-resource-collection>
<url-pattern>/</url-pattern>
</web-resource-collection>
</security-constraint>
I had a look in the SecurityHandler and the SecurityConstraint source files, and there are a few things which are not clear:
in SecurityConstraint.forMethod:
if (_methods==null)
return true;
I think it should be:
if (_methods==null)
return false;
and in SecurityHandler.handle:
// Check the method applies
if (!sc.forMethod(request.getMethod()))
continue;
I think it should be:
// Check the method applies
if (sc.forMethod(request.getMethod()))
break matches;
I have tried to change it and it is working.
I have just switched from apache/tomcat to jetty, so It would be nice if someone more experimented could have a look at it.
Thanks.
Andre.