<security-constraint> <url-pattern> and the * character within web.xml

war web.xml jboss6.x url-pattern security-constraint
21,718

According to Java Servlet 3.1 Specification, chapter 12.2, the mappings are defined as the following:

In the Web application deployment descriptor, the following syntax is used to define mappings:

  • A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
  • A string beginning with a ‘*.’ prefix is used as an extension mapping.
  • The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form
    http: //host:port//. In this case the path info is ’/’
    and the servlet path and context path is empty string (““).
  • A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path is the
    request URI minus the context path and the path info is null.
  • All other strings are used for exact matches only.

The last constraint:

All other strings are used for exact matches only.

For my understanding you wont be able to use the ** wildcard refering to subdirectories, since it will be a specific match.

It seems like <url-pattern>/web/admin/*</url-pattern> should work.

Share:
21,718
user3646347
Author by

user3646347

Updated on January 31, 2022

Comments

  • user3646347
    user3646347 over 2 years

    Useing Spring for Security, I can get the program running using the following code.

    <intercept-url pattern="/web/admin**/**" access="ROLE_ADMIN" requires-channel="https"/>
<intercept-url pattern="/web/**/" access="ROLE_USER,ROLE_ADMIN" requires-channel="https"/>

    I am trying to do this within a web.xml currently. Using JBOSS to deploy a .war file. Below is what I have, The url-pattern is what is causing me the problems in the first security-constraint. The pages are located at, and named /web/adminarchive /web/adminsettings /web/adminstuff etc... The code above within Spring handled it the way I want, with the url being /web/admin**/** to catch all admin pages. I commented out the /* section, since I know it works, leaving just the admin one. Using that structure throws no errors, it just doesn't prompt for login at all.

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>Name</web-resource-name>
        <url-pattern>/web/admin**/**</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ROLE_ADMIN</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Name</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ROLE_USER</role-name>
    </auth-constraint>
</security-constraint>
  • user3646347
    user3646347 about 10 years
    Just tested that out. <url-pattern>/web/admin/*</url-pattern> works exactly the same way as <url-pattern>/web/admin</url-pattern> in that it only prompts on the actual page /web/admin If I try hitting any other pages, ie. /web/adminsettings , It goes on through to the page without the prompt. (Cleared cache and made sure I wasn't logged in). Using JBOSS to deploy the app as a .war file if that help. Left it out of original question. This does trigger the prompt if I try to go to a page /web/admin/something, however that isn't the structure of the urls used by the web-app.
  • Evandro Pomatti
    Evandro Pomatti about 10 years
    Do you mean /web/adminsettings or /web/admin/settings? Beucase the former wont work. Servlet wont let you use wildcards in that way. JBoss uses a Tomcat fork under the hoods and the behavior should be the same as the specification. It looks to me that you will need to add one more level of the path, like /web/admin/settings if you wanna go with Servlet specification instead of Spring.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

url pattern for html file in web.xml
Catch-all (wildcard) servlet url-pattern overrides file extension patterns
Whitelist security constraint in web.xml
Is security-constraint configuration for Tomcat mandatory?
What is the significance of url-pattern in web.xml and how to configure servlet?
Sometimes I see JSF URL is *.jsf, sometimes *.xhtml and sometimes /faces/*. Why?
Difference between / and /* in servlet mapping url pattern
Maven can't find web.xml
Servlet URL pattern to match a URL that ends with a slash ("/")
Issue in exporting WAR file from eclipse project