Security constraint in web.xml not getting applied to URL patterns having file extension

Asked 18/10, 2013 at 4:16 Answered 7/11, 2016 at 13:6

Solved java servlets web.xml security-constraint

I have the following security constraints entered in the web.xml. My objective is that the XML files are in the Public area. This works for the /images/* folder. However the url-pattern *.xml does not seem to work. Any ideas ?

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Public Area</web-resource-name>
            <url-pattern>/xyz</url-pattern>
            <url-pattern>/images/*</url-pattern>
            <url-pattern>/yyz/*</url-pattern>
            <url-pattern>*.xml</url-pattern>
        </web-resource-collection>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Super User Area</web-resource-name>
            <url-pattern>/test/list1</url-pattern>
            <url-pattern>/test/list2</url-pattern>
            <url-pattern>/test/list3</url-pattern>
            <url-pattern>/test/admin.html</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>SUPER_USER</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ADMIN</role-name>
            <role-name>END_USER</role-name>
        </auth-constraint>
    </security-constraint>


    <security-role>
        <description>Super User</description>
        <role-name>SUPER_USER</role-name>
    </security-role>
    <security-role>
        <description>Admin User</description>
        <role-name>ADMIN</role-name>
    </security-role>
    <security-role>
        <description>End User</description>
        <role-name>END_USER</role-name>
    </security-role>

Bosporus answered 18/10, 2013 at 4:16 Comment(7)

It would help if you provided an example or two of some URLs that don't work as you expect. – Quadrumanous 18/10, 2013 at 8:13

When I try https://<domain>/testresource.xml, the system redirects to the authentication page. – Bosporus 18/10, 2013 at 15:51

Then Keerthi Ramanathan has already given you the answer. – Quadrumanous 18/10, 2013 at 16:10

I dont think that answers the question. The xml files are located in the web-app root. I dont have any overlapping paths as far as I can see. – Bosporus 20/10, 2013 at 3:48

Yes you do have overlapping patterns. /testresource.xml matches /* and *./xml – Quadrumanous 20/10, 2013 at 20:22

As per what you mentioned above, it should pick-up the more specific path i.e. *.xml right? – Bosporus 21/10, 2013 at 3:17

Wrong. You need to read section 13.8.3 of the Servlet 3.1 specification followed by section 12.1. Earlier versions of the specification define the same rules but may use different section numbers for the relevant parts. – Quadrumanous 21/10, 2013 at 9:59

One of your other URL patterns matches more than this url-pattern - *.xml requestURI, that's why it's not working. For example, if you have /test/list/user.xml, then this will be treated as a web resource collection in Super user Area and thus SUPER_USER can only have access. so, ensure that url-pattern is declared more specific to resources to avoid clashes and mis-interpretation. Thanks

Hallel answered 18/10, 2013 at 5:3 Comment(1)

Were you able to fix it? – Hallel 18/10, 2013 at 12:21

Actually, the sequence of the placement is issue, first security constraints should be the super_user, then public area security constraints. If your put the security constraint belong of public area it will be over written by followed security constraints.

Fiance answered 7/11, 2016 at 13:6 Comment(0)

Recommended topics

Hot tags