LDEV-4272: Do not allow in LAMS any HTTP methods other than GET or POST.

lams_admin/web/WEB-INF/web.xml

@@ -234,10 +234,14 @@
 	</jsp-config>
 
 	<!-- Security Constraint -->
+	<deny-uncovered-http-methods />
+
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>Secure Content</web-resource-name>
 			<url-pattern>/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>GROUP MANAGER</role-name>

lams_central/web/WEB-INF/web.xml

@@ -623,10 +623,14 @@
 	</jsp-config>
 
 	<!-- Security Constraint -->
+	<deny-uncovered-http-methods />
+
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>General secure content</web-resource-name>
 			<url-pattern>/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>LEARNER</role-name>
@@ -670,13 +674,17 @@
 			<url-pattern>/includes/font-awesome/*</url-pattern>
 			<url-pattern>/ckeditor/*</url-pattern>
 			<url-pattern>/favicon.ico</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 	</security-constraint>
 
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>Authoring content</web-resource-name>
 			<url-pattern>/authoring/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>AUTHOR</role-name>
@@ -690,6 +698,8 @@
 			<web-resource-name>Organisation grouping</web-resource-name>
 			<url-pattern>/orgGroup.jsp</url-pattern>
 			<url-pattern>/orgGrouping.jsp</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>AUTHOR</role-name>
@@ -704,6 +714,8 @@
 			<web-resource-name>Add lesson</web-resource-name>
 			<url-pattern>/addLesson.jsp</url-pattern>
 			<url-pattern>/lti/addLesson.jsp</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>MONITOR</role-name>
@@ -716,6 +728,8 @@
 			<web-resource-name>Sysadmin content</web-resource-name>
 			<url-pattern>/admin.jsp</url-pattern>
 			<url-pattern>/sysadmin.jsp</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>SYSADMIN</role-name>

lams_gradebook/web/WEB-INF/web.xml

@@ -242,10 +242,14 @@
 	</jsp-config>
 
 	<!-- Security Constraint -->
+	<deny-uncovered-http-methods />
+
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>Secure Content</web-resource-name>
 			<url-pattern>/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>GROUP MANAGER</role-name>
@@ -259,6 +263,8 @@
 		<web-resource-collection>
 			<web-resource-name>Monitor content</web-resource-name>
 			<url-pattern>/gradebookMonitoring.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>SYSADMIN</role-name>

lams_learning/web/WEB-INF/web.xml

@@ -212,10 +212,14 @@
 	</jsp-config>
 
 	<!-- Security Constraint -->
+	<deny-uncovered-http-methods />
+
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>Secure Content</web-resource-name>
 			<url-pattern>/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>LEARNER</role-name>

lams_monitoring/web/WEB-INF/web.xml

@@ -192,10 +192,14 @@
 	</jsp-config>
 
 	<!-- Security Constraint -->
+	<deny-uncovered-http-methods />
+
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>Secure content</web-resource-name>
 			<url-pattern>/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>MONITOR</role-name>
@@ -206,6 +210,8 @@
 		<web-resource-collection>
 			<web-resource-name>Lesson start content</web-resource-name>
 			<url-pattern>/monitoring.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<!-- Author can preview the lesson -->

lams_tool_assessment/web/WEB-INF/web.xml

@@ -203,10 +203,14 @@
 	</jsp-config>
 
 	<!-- Security Constraint -->
+	<deny-uncovered-http-methods />
+
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>Secure content</web-resource-name>
 			<url-pattern>/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>LEARNER</role-name>
@@ -221,6 +225,8 @@
 			<web-resource-name>Authoring content</web-resource-name>
 			<url-pattern>/authoring/*</url-pattern>
 			<url-pattern>/pages/authoring/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>AUTHOR</role-name>
@@ -234,6 +240,8 @@
 			<url-pattern>/monitoring/*</url-pattern>
 			<url-pattern>/pages/monitoring/*</url-pattern>
 			<url-pattern>/definelater.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>MONITOR</role-name>

lams_tool_bbb/web/WEB-INF/web.xml

@@ -207,10 +207,14 @@
 	</jsp-config>
 
 	<!-- Security Constraint -->
+	<deny-uncovered-http-methods />
+
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>Secure Content</web-resource-name>
 			<url-pattern>/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>LEARNER</role-name>
@@ -226,6 +230,8 @@
 			<url-pattern>/authoring/*</url-pattern>
 			<url-pattern>/pages/authoring/*</url-pattern>
 			<url-pattern>/authoring.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>AUTHOR</role-name>
@@ -238,6 +244,8 @@
 			<web-resource-name>Staff content</web-resource-name>
 			<url-pattern>/pages/monitoring/*</url-pattern>
 			<url-pattern>/monitoring.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>MONITOR</role-name>
@@ -250,6 +258,8 @@
 			<web-resource-name>Admin content</web-resource-name>
 			<url-pattern>/admin/*</url-pattern>
 			<url-pattern>/pages/admin/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>SYSADMIN</role-name>

lams_tool_chat/web/WEB-INF/web.xml

@@ -223,10 +223,14 @@
 	</jsp-config>
 
 	<!-- Security Constraint -->
+	<deny-uncovered-http-methods />
+
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>Secure content</web-resource-name>
 			<url-pattern>/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>LEARNER</role-name>
@@ -242,6 +246,8 @@
 			<url-pattern>/pages/authoring/*</url-pattern>
 			<url-pattern>/authoring.do</url-pattern>
 			<url-pattern>/pedagogicalPlanner.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>AUTHOR</role-name>
@@ -254,6 +260,8 @@
 			<web-resource-name>Staff content</web-resource-name>
 			<url-pattern>/pages/monitoring/*</url-pattern>
 			<url-pattern>/monitoring.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>MONITOR</role-name>

lams_tool_daco/web/WEB-INF/web.xml

@@ -205,10 +205,14 @@
 	</jsp-config>
 
 	<!-- Security Constraint -->
+	<deny-uncovered-http-methods />
+
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>Secure content</web-resource-name>
 			<url-pattern>/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>LEARNER</role-name>
@@ -223,6 +227,8 @@
 			<web-resource-name>Authoring content</web-resource-name>
 			<url-pattern>/authoring/*</url-pattern>
 			<url-pattern>/pages/authoring/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>AUTHOR</role-name>
@@ -236,6 +242,8 @@
 			<url-pattern>/monitoring/*</url-pattern>
 			<url-pattern>/pages/monitoring/*</url-pattern>
 			<url-pattern>/definelater.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>MONITOR</role-name>

lams_tool_eadventure/web/WEB-INF/web.xml

@@ -57,10 +57,14 @@
 		<url-pattern>*.do</url-pattern>
 	</servlet-mapping>
 
+	<deny-uncovered-http-methods />
+
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>Public content</web-resource-name>
 			<url-pattern>/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 	</security-constraint>
 </web-app>

lams_tool_forum/web/WEB-INF/web.xml

@@ -228,10 +228,14 @@
 	</jsp-config>
 
 	<!-- Security Constraint -->
+	<deny-uncovered-http-methods />
+
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>Secure content</web-resource-name>
 			<url-pattern>/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>LEARNER</role-name>
@@ -247,6 +251,8 @@
 			<url-pattern>/authoring/*</url-pattern>
 			<url-pattern>/jsps/authoring/*</url-pattern>
 			<url-pattern>/authoring.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>AUTHOR</role-name>
@@ -261,6 +267,8 @@
 			<url-pattern>/jsps/monitoring/*</url-pattern>
 			<url-pattern>/monitoring.do</url-pattern>
 			<url-pattern>/definelater.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>MONITOR</role-name>

lams_tool_gmap/web/WEB-INF/web.xml

@@ -221,10 +221,14 @@
 	</jsp-config>
 
 	<!-- Security Constraint -->
+	<deny-uncovered-http-methods />
+
 	<security-constraint>
 		<web-resource-collection>
 			<web-resource-name>Secure Content</web-resource-name>
 			<url-pattern>/*</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>LEARNER</role-name>
@@ -239,6 +243,8 @@
 			<web-resource-name>Authoring content</web-resource-name>
 			<url-pattern>/pages/authoring/*</url-pattern>
 			<url-pattern>/authoring.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>AUTHOR</role-name>
@@ -251,6 +257,8 @@
 			<web-resource-name>Staff content</web-resource-name>
 			<url-pattern>/pages/monitoring/*</url-pattern>
 			<url-pattern>/monitoring.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>MONITOR</role-name>
@@ -263,6 +271,8 @@
 			<web-resource-name>Admin content</web-resource-name>
 			<url-pattern>/pages/admin/*</url-pattern>
 			<url-pattern>/lagmap10admin.do</url-pattern>
+			<http-method>GET</http-method>
+ 			<http-method>POST</http-method>
 		</web-resource-collection>
 		<auth-constraint>
 			<role-name>SYSADMIN</role-name>