I have the following security constraints entered in the web.xml. My objective is that the XML files are in the Public area. This works for the /images/*
folder. However the url-pattern *.xml
does not seem to work. Any ideas ?
<security-constraint>
<web-resource-collection>
<web-resource-name>Public Area</web-resource-name>
<url-pattern>/xyz</url-pattern>
<url-pattern>/images/*</url-pattern>
<url-pattern>/yyz/*</url-pattern>
<url-pattern>*.xml</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Super User Area</web-resource-name>
<url-pattern>/test/list1</url-pattern>
<url-pattern>/test/list2</url-pattern>
<url-pattern>/test/list3</url-pattern>
<url-pattern>/test/admin.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SUPER_USER</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
<role-name>END_USER</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>Super User</description>
<role-name>SUPER_USER</role-name>
</security-role>
<security-role>
<description>Admin User</description>
<role-name>ADMIN</role-name>
</security-role>
<security-role>
<description>End User</description>
<role-name>END_USER</role-name>
</security-role>
Specifically, you use the @HttpConstraint and, optionally, the @HttpMethodConstraint annotations within the @ServletSecurity annotation to specify a security constraint. If your web application does not use a servlet, however, you must specify a security-constraint element in the deployment descriptor file.
Security constraints determine how web content is to be protected. These properties associate security constraints with one or more web resource collections. A constraint consists of a web resource collection, an authorization constraint and a user data constraint.
The transport-guarantee element value specifies the degree to which communication between the client and server should be protected. Its values are NONE , INTEGRAL , and CONFIDENTIAL . A value of NONE means that the application does not require any transport guarantees.
One of your other URL patterns matches more than this url-pattern
- *.xml requestURI, that's why it's not working. For example, if you have /test/list/user.xml
, then this will be treated as a web resource collection in Super user Area and thus SUPER_USER can only have access. so, ensure that url-pattern is declared more specific to resources to avoid clashes and mis-interpretation. Thanks
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With