struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: Allowing only POST for form submittal ????
Date Thu, 07 Aug 2003 09:39:52 GMT
Thought trave couldn't be right. I was just worried whether they would 
open up more possibilities for crackers, especially since I've list the 
methods in my web.xml so:

<security-constraint>
   <web-resource-collection>
     <web-resource-name>LinkLibrary Application</web-resource-name>
     <!-- Define the context-relative URL(s) to be protected -->
     <url-pattern>/secure/*</url-pattern>
     <!-- If you list http methods, only those methods are protected -->
     <http-method>DELETE</http-method>
     <http-method>GET</http-method>
     <http-method>POST</http-method>
     <http-method>PUT</http-method>
   </web-resource-collection>

and I just based this on the web.xml from the struts example app years 
ago. Anyway, I guess it's time to remove the list of http-methods.

Thanks
Adam

Jason Lea wrote:
> Adam Hardy wrote:
> 
>> Hi Jason,
>> I've heard of Get, Post, Put and Delete, but what are Head, Options 
>> and Trave?
> 
> 
> Oops, should be Trace.
> 
> as to what they do...
> 
> Servlet Spec 2.3,  2.1.2 says:
> The doHead method in HttpServlet is a specialized form of the doGet 
> method that returns only the headers produced by the doGet method. The 
> doOptions method responds with which HTTP methods are supported by the 
> servlet. The doTrace method generates a response containing all 
> instances of the headers sent in the TRACE request.
> 
> The RFC gives some more details: http://www.ietf.org/rfc/rfc2616.txt
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message