<security-constraint> <url-pattern> and the * character within web.xml

user3646347 picture user3646347 · May 17, 2014 · Viewed 20.2k times · Source

Useing Spring for Security, I can get the program running using the following code.

<intercept-url pattern="/web/admin**/**" access="ROLE_ADMIN" requires-channel="https"/>
<intercept-url pattern="/web/**/" access="ROLE_USER,ROLE_ADMIN" requires-channel="https"/>

I am trying to do this within a web.xml currently. Using JBOSS to deploy a .war file. Below is what I have, The url-pattern is what is causing me the problems in the first security-constraint. The pages are located at, and named /web/adminarchive /web/adminsettings /web/adminstuff etc... The code above within Spring handled it the way I want, with the url being /web/admin**/** to catch all admin pages. I commented out the /* section, since I know it works, leaving just the admin one. Using that structure throws no errors, it just doesn't prompt for login at all.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Name</web-resource-name>
        <url-pattern>/web/admin**/**</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ROLE_ADMIN</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Name</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ROLE_USER</role-name>
    </auth-constraint>
</security-constraint>

Answer

Evandro Pomatti picture Evandro Pomatti · May 17, 2014

UPDATE

You are right the code I posted wont work for the purpose you need.

According to Java Servlet 3.1 Specification, chapter 12.2, the mappings are defined as the following:

In the Web application deployment descriptor, the following syntax is used to define mappings:

  • A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
  • A string beginning with a ‘*.’ prefix is used as an extension mapping.
  • The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form
    http: //host:port//. In this case the path info is ’/’
    and the servlet path and context path is empty string (““).
  • A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path is the
    request URI minus the context path and the path info is null.
  • All other strings are used for exact matches only.

The last constraint:

All other strings are used for exact matches only.

For my understanding you wont be able to use the ** wildcard refering to subdirectories, since it will be a specific match.

It seems like <url-pattern>/web/admin/*</url-pattern> should work.