1

I am getting this error when I start Tomcat:

SEVERE - For security constraints with URL pattern [/*] the HTTP methods [POST GET] are uncovered.

What is the reason of this?

I think this is a different problem from this.

My web.xml looks like:

<security-constraint>
    <display-name>Restrict resources</display-name>
    <web-resource-collection>
        <web-resource-name>/resources dir</web-resource-name>
        <url-pattern>/resources/*</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Whitelist</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>POST</http-method-omission>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

So I try to forbid all methods except GET and POST (see ). However, some methods (PUT, DELETE, OPTIONS...) seem to return a "302 Found" instead of an automatic 403, not sure why (missing request parameters?).

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
user1156544
  • 1,725
  • 2
  • 25
  • 51

1 Answers1

1

To me it looks like you actually also forbid GET and POST. Instead of an empty <auth-constraint /> in the second <security-constraint> section, try the following:

<auth-constraint>
  <role-name>*</role-name>
</auth-constraint>

Furthermore, you may need to add another "deny" section for the uncovered methods for <url-pattern>/*</url-pattern>. However, if you are using Servlet 3.1+ (e.g. Tomcat 8.5.x), you can simply use this tag instead of another <security-constraint> section:

<deny-uncovered-http-methods />

Make sure then, that your web.xml actually does define Servlet 3.1, e.g.:

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
  version="3.1"
  metadata-complete="true">
msa
  • 702
  • 7
  • 14