How do I get basic authentication working on WebSphere?

Question

Okay, so I\'ve been running a Java/Jersey webservice on Tomcat with basic authentication which works perfectly fine. I\'ve got permissions set up in the web.xml file of my proje

Answer 1

You shouldn't list http-methods. Doing so means that the security-constraint ONLY applies to those methods and can be bypassed with so-called "extension" methods, like the JEFF method. Just remove them and the constraint will apply to everything. There's a paper on http verb tampering at https://www.aspectsecurity.com/research/aspsec_presentations/download-bypassing-web-authentication-and-authorization-with-http-verb-tampering/