WebSphere Application Server & Liberty

Hello,

On IBM WebSphere Application Server 9.0.5.14 in Global Security we select "Enable application security option" and would like restrict certain HTTP methods at application level for concrete deployed applications via the following stanza in application descriptor /WEB-INF/web.xml

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>restricted methods</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>COPY</http-method>
            <http-method>LOCK</http-method>
            <http-method>MKCOL</http-method>
            <http-method>MOVE</http-method>
            <http-method>PROPFIND</http-method>
            <http-method>PROPPATCH</http-method>
            <http-method>UNLOCK</http-method>
            <http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint/>
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>restricted methods 2</web-resource-name>
            <url-pattern>/css/*</url-pattern>
            <url-pattern>/fonts/*</url-pattern>
            <url-pattern>/images/*</url-pattern>
            <url-pattern>/js/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>PATCH</http-method>
            <http-method>DELETE</http-method>
            <http-method>COPY</http-method>
            <http-method>LOCK</http-method>
            <http-method>MKCOL</http-method>
            <http-method>MOVE</http-method>
            <http-method>PROPFIND</http-method>
            <http-method>PROPPATCH</http-method>
            <http-method>UNLOCK</http-method>
            <http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint/>
    </security-constraint>

This configuration works perfectly on other application servers (Tom Cat / WebLogic) but on WebSphere we are facing unexpected behavior that we cannot resolve - despite HTTP PATCH method is blocked for only concrete URL patterns we receive "HTTP 403 Forbidden" for any URL, i.e. for URL that does not match the configured "url-pattern"-s. For ex. we get "HTTP 403" for PATCH request to 

   <app context>/api/be/password/changePassword

that definitely don't match url-patterns in web.xml (and that is well served on all other app servers we deploy the same web.xml). 

If we remove the security-constraint sections above from web.xml HTTP PATCH works well. We do this test by directly accessing WebSphere on its HTTP interface, there is no other HTTPD upfront it. 

What is even more unusual is that with this security-constraints in web.xml for a single application deployed on WAS HTTP PATCH become blocked with HTTP 403 for all other deployed applications (with different context), when we expect that the scope of these security constrains should be only the context of the particular application that has these into its web.xml

Can one give a hint what do we do wrong, considering that this technique to restrict HTTP methods on WAS is exactly what we find in IBM documentation

Thanks in advance,

George