Jetty 3 Web Application

This site is a 2.2 Servlet Web Applications, configured by the webapp/jetty/WEB-INF/web.xml file.

Web Application Security

Jetty has made a few interpretations of the security mechanism "described" in the servlet specifiction. The default security model is that all access is allowed unless a particular security constraint prevents access. This is vulnerable to alias attacks where alternate case or names can be used to get to a resource.

Jetty makes the following interpretations:

It is strongly recommended that secure WebApplications take following approach. All access should be denied by default with
  <security-constraint>
    <web-resource-collection>
      <url-pattern>/</url-pattern>
    </web-resource-collection>
  </security-constraint>
Specific access should be granted with constraints like:
  <security-constraint>
    <web-resource-collection>
      <url-pattern>/public/*</url-pattern>
      <url-pattern>/images/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>HEAD</http-method>
    </web-resource-collection>
    <web-resource-collection>
      <url-pattern>/servlet/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>HEAD</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>NONE</role-name>
    </auth-constraint>
  </security-constraint>