Jetty 3 Web Application

This site is a 2.2 Servlet Web Applications, configured by the webapp/jetty/WEB-INF/web.xml file.

Security Constraint Any role user=jetty password=jetty
Security Constraint Admin role user=admin password=admin
Security Constraint Relaxed constraint, using role = NONE
Security Constraint No access.

Error Page Custom page for 404 status.
Error Page Custom page for NullPointerException.

Web Application Security

Jetty has made a few interpretations of the security mechanism "described" in the servlet specifiction. The default security model is that all access is allowed unless a particular security constraint prevents access. This is vulnerable to alias attacks where alternate case or names can be used to get to a resource.

Jetty makes the following interpretations:

Methods PUT, DELETE and GET are disabled unless both a web.xml and a default config file are provided.
If multiple security constraints are defined, the most specific applies to a request.
A security constraint with no data or auth constraint prevents all access.
A security constraint with an auth constraint of NONE grants access.
On platforms without the / file separator or when the system parameter org.mortbay.util.FileResource.checkAliases is true, then the FileResouce class compares the absolutePath and canonicalPath and treats the resource as not found if they do not match.

It is strongly recommended that secure WebApplications take following approach. All access should be denied by default with

  <security-constraint>
    <web-resource-collection>
      <url-pattern>/</url-pattern>
    </web-resource-collection>
  </security-constraint>

Specific access should be granted with constraints like:

  <security-constraint>
    <web-resource-collection>
      <url-pattern>/public/*</url-pattern>
      <url-pattern>/images/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>HEAD</http-method>
    </web-resource-collection>
    <web-resource-collection>
      <url-pattern>/servlet/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>HEAD</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>NONE</role-name>
    </auth-constraint>
  </security-constraint>