Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Embedded Jetty: securing only a few endpoints

Thanks Greg.

"Of course the other way in embedded jetty is to just write your own handler that does a 403 or 404 for any URI other than the ones you want."

This is what we're doing, in a roundabout fashion.

I'll keep digging. Thanks for your help!

Pete

On Mon, Nov 6, 2017 at 7:47 PM, Greg Wilkins <gregw@xxxxxxxxxxx> wrote:

Pete,

this is one of the biggest mistakes of the servlet spec - the fact that "/" matches everything so it is difficult to block everything and allow only specific.   The default mode of the servlet spec is allow everything and block the specific... which is not really very secure!

From memory you have to put a constraint on "/", which will block everything.  Then allow "" which will match "/", then allow your 4 other patterns.
If that doesn't work then I'll have to check my memory.

Of course the other way in embedded jetty is to just write your own handler that does a 403 or 404 for any URI other than the ones you want.

cheers

On 7 November 2017 at 11:24, Pete Carey <pcarey@xxxxxxxxxxx> wrote:
Hello all.

Embedded Jetty Question.

What is the appropriate way to secure all endpoints *except* n endpoints? In my case, n is 4. If it makes a difference, my subclassed DefaultServlet serves up static content, and also handles the "/" endpoint in a particular way, depending on the configuration of the application.

My initial approach was:

1) Iterate over all of our servlets' paths (minus the 4 we want to remain insecure) and create a constraint mapping for each, and add those to the ConstraintSecurityHandler.

2) Add "/" to the ConstraintSecurityHandler.

It appears that adding the "/" constraint mapping secures everything. Perhaps this is according to spec; I just don't know.

Hence my original question. How to lock everything down, except n "path-specs"?

Thanks in advance, and apologies if I'm missing something obvious (highly likely).

Pete

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


Back to the top