AO Servlet Firewall WebJars

project: alphamanagement: previewpackaging: developmental
java: >= 11java ee: >= 7semantic versioning: 2.0.0license: LGPL v3

BuildMaven CentralQuality Gate StatusLines of Code
Reliability RatingSecurity RatingMaintainability RatingCoverage

AO Servlet Firewall rules for WebJars.


  • Reserves greedy Path Space for /webjars/*** (no components in sub-paths may be added).
  • Constrains request method to OPTIONS, HEAD, and GET.
  • TODO: Block all parameters for canonicalization? Only allow LastModified? 301/302/307 redirect LastModified when doesn't match current LastModified (impact on clustering?)?
  • Small footprint, minimal dependencies - not part of a big monolithic package.
  • Java 1.8 implementation:
    • Java EE 6+ compatible.


WebJars are wonderfully easy-to-use, just add a dependency to your project and off you go. This project reserves Path Space for /webjars/*** and opens the AO Servlet Firewall to OPTIONS, HEAD, and GET. Just add this project as an additional dependency and the firewall rules are ready-to-go (assuming metadata-complete="false" in /WEB-INF/web.xml).