java-ee – 警告：JACC：对于URL模式xxx,除了以下方法之外的所有

Allowable HTTP Methods

The JSF specification only requires the use of the GET and POST http
methods. If your web application does not require any other http
methods,such as PUT and DELETE,please consider restricting the
allowable http methods using the <http-method> and
<http-method-omission> elements. Please see the Security of the Java
Servlet Specification for more information the use of these elements.

我的应用程序确实不依赖于其他HTTP方法(GET和POST除外).因此,我正在尝试使用< http-method> (或< http-method-omission>)排除除GET和POST之外的所有方法.

在web.xml中,JAAS Servlet安全性约束配置如下.

<security-constraint>
    <display-name>AdminConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>ROLE_ADMIN</web-resource-name>
        <description/>
        <url-pattern>/admin_side/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>ROLE_ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-constraint>
    <display-name>UserConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>ROLE_USER</web-resource-name>
        <description/>
        <url-pattern>/user_side/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>ROLE_USER</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

使用这些元素,

<http-method>GET</http-method>
<http-method>POST</http-method>

我希望不允许所有其他HTTP方法.

但是,GlassFish Server 4.1会在服务器终端上记录以下警告.

Warning: JACC: For the URL pattern /user_side/*,all but the
following methods were uncovered: POST,GET

Warning: JACC: For the URL pattern /admin_side/*,GET

这是什么意思？

而不是在所有< security-constraint>中完成它.元素,可以全局配置,以便它可以应用于应用程序中的所有资源,并且可以省略除GET和POST HTTP请求之外的所有资源,即全局应用于应用程序 – 可能通过使用更通用的专用URL模式,如/ *？

有一个例子here.

06002

the above element indicates that the resource referenced by the url
pattern /test.jsp,when accessed by all the http-methods except GET,
should be constrained to be viewed only by authenticated users
belonging to the role dev. Please note that the security constraint
does not apply for the http-method GET,but only for the other
methods (POST,HEAD,PUT,etc).

我发现强文中的最后一句令人困惑.这是否意味着使用GET请求,匿名用户也可以访问给定url-pattern中列出的资源,因为它意味着“安全约束不适用于http-method GET”？