Kevin W. Wall
kevin.w.wall at gmail.com
Thu Aug 16 06:12:03 UTC 2012
I'm confused...if you allow POSTs for everything else, you surely want to
allow a POST for Login.jsp. If you use GET for Login.jsp, then passwords
will end up in your server logs.
Sent from my Droid; please excuse typos.
On Aug 16, 2012 2:00 AM, "Nithya2 B" <nithya2.b at tcs.com> wrote:
> I'm using ESAPI for some security related issues in one of my app..
> I just have a query on that..
> We wanted to deny all http GET methods and allow only POST methods except
> the Login.jsp..
> pls let me know the configuration..
> the following configuration is blocking the login screen from appearing as
> it is GET requests..
> <restrict-extension deny=".jpg" />
> <restrict-method deny="GET" path=".*\/MyApp/.action$" />
> <restrict-method allow="(POST|TRACE)" />
> <enforce-https path="/.*">
> <path-exception type="regex">/MyApp/images/.*</path-exception>
> <path-exception type="regex">/MyApp/css/.*</path-exception>
> <path-exception type="regex">/MyApp/js/.*</path-exception>
> <path-exception type="regex">/help/.*</path-exception>
> Nithya B
> Tata Consultancy Services
> Mailto: nithya2.b at tcs.com
> Website: http://www.tcs.com
> Experience certainty. IT Services
> Business Solutions
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user