Please see full comment thread here:
There are a lot of use cases for wanting to deny access to certain URL patterns and Undertow seems to have some decent support for this. Let's think of the best way to declare access control for certain paths that makes it easy to use but it still configurable. For instance, it may be easiest to simply have a list of paths that we want to deny, but it would be better if we could allow exceptions so, for instance, the CF admin would be accessible from localhost.
Here's some example use cases:
Block access to CF admins
Block access to special files such as box.json, server.json, or .cfconfig.json
Block access to all files starting with a period
Custom folders such as /tests/ or /workbench
Undertow seems to have some capability to block based on user agent, but that seems worthless since anyone can spoof that. There is also the ability to block based on IP which which seems most useful.
Here's the docs I was able to dig up: