Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

url-pattern and wildcards

Tags:

java

jakarta-ee

web.xml

While configuring the security constraints for a web-module's roles in J2EE application I'm having the following problem:

Application:

Giving a servlet named customersServlet, which receives two parameters in the URL:

  • A string representing an operation (INS, UPD, DLT and DSP).
  • An identification number to identify a customer on which the operation will be performed.

E.G.: the url /servlet/cusotmersServlet?UPD,5 is used to update customer number 5 data, and the url /servlet/customersServlet?DLT,8 is used to delete customer number 8.

Problem:

If I use this security-constraint the servlet can only be accessed by the role specified, which is ok:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>...</web-resource-name>
        <url-pattern>/servlet/clientsServlet*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>clientAdmin</role-name>
    </auth-constraint>
</security-constraint>

But I want to restrict the ability to insert customers only to a role named clientAdmin.

I've tried several url patterns but none of them works as I want (all of them allow every role to access the servlet with any parameter):

<url-pattern>/servlet/clientsServlet?INS,*</url-pattern>
<url-pattern>/servlet/clientsServlet?INS/*</url-pattern>
...

How to use the wildcard * in the url-pattern tag?

Note: The application cannot be changed, so I need a solution that only implies touching the deployment descriptor.

like image 719
mmutilva Avatar asked Dec 10 '22 16:12

mmutilva

2 Answers

The <url-pattern> tag only allows a very restricted subset of wildcards. This is probably not what you are used to from other situations, where a * can be used at any position. You can download the Servlet specification here:

http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html

Section SRV.11.2 of that document describes how these URL patterns are interpreted. In particular, the * does not mean "zero or more arbitrary characters" here.

like image 196
Roland Illig Avatar answered Dec 29 '22 15:12

Roland Illig

Note: The application cannot be changed, so I need a solution that only implies touching the deployment descriptor.

Not sure if this counts as an application change - perhaps you could think of it as a plug-in. You could add a Filter. This would require the ability to add a new JAR to WEB-INF/libs and the ability to define the filter in web.xml. The Filter would allow you to restrict access programmatically.

like image 29
McDowell Avatar answered Dec 29 '22 15:12

McDowell
Sign in to Comment

Related questions

How to load already instantiated JComboBox with data in Java?
java grid bag layout: avoiding center alignment
Java. Array of objects
Tomcat 6 Heap Size - Is this correct?
How are Iterators implemented in Java?
multiple error-code configuration web.xml
Java Eclipse debugger getting results of method calls
Cannot use Spring LDAP with Spring Security
Alternative to web services in Java
JSF redirect on page load
is there a dictionary i can download for java?
Java variable function parameters
java: <identifier> expected with ArrayList
Using enums or a set of classes when I know I have a finite set of different options?
Java heap keeps on shrinking! What is happening in this graph of heap size?
Xpath to get the 2nd url with the matching text in the href tag
How is Object[] cloneable
Are there macro facility for Java or C#?
Get location from where the Java code is executed
running Echo from Java

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!