2
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Common pages</web-resource-name>
      <url-pattern>/test1.html</url-pattern>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>MY_GROUP</role-name>
    </auth-constraint>
  </security-constraint>

as expected, with this constraint, the page /test1.html needs authentication, and the page /test2.html does not need authentication.

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Common pages</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>MY_GROUP</role-name>
    </auth-constraint>
  </security-constraint>

as expected, with this constraint, all pages need authentication, including /test2.html.

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Common pages</web-resource-name>
      <url-pattern>/</url-pattern>
      <url-pattern>/test1.html</url-pattern>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>MY_GROUP</role-name>
    </auth-constraint>
  </security-constraint>

with this constraint, I would expect that the page /test1.html and / need authentication, but the page /test2.html should not need authentication.

However, it turns out that /test2.html also requires authentication.

Question 1. Is that normal? Why is so?

Question 2. Where is it written in the specification that the url-pattern "/" is equivalent to "/*"? Java Servlet Specification 2.5: http://goo.gl/UxoPL

Question 3. How can I tell that the root page "/" requires authentication, but not the other pages?

ps: I am using jboss-eap-4.3.

skaffman
  • 398,947
  • 96
  • 818
  • 769
David Portabella
  • 12,390
  • 27
  • 101
  • 182

1 Answers1

3

The / is a special URL pattern which matches everything which is not matched by any of the more specific servlet URL patterns in the same webapp like /app/*, *.do, etc. It's, say, the "default servlet". This is by default handled by the servletcontainer's own default servlet and is usually used for static resources like plain vanilla HTML/CSS/JS/image files for which no one of the webapp's own servlets would be invoked. Tomcat for example has the DefaultServlet for this purpose.

The /* is an overly generic URL pattern which matches everything, including the "default servlet" requests. This URL pattern is normally to be used by filters only, not by servlets. Otherwise you'd have to reinvent the job of servletcontainer's own default servlet to deal with static files like plain vanilla HTML/CSS/JS/image files.

As to your concrete functional requirement, you need to specify a welcome file for /

<welcome-file-list>
    <welcome-file>index.html</welcome-file>
</welcome-file-list>

and then put the security constraint URL pattern on /index.html instead.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • thanks. could you please point out where in the J2EE specification this is written? – David Portabella May 29 '12 at 15:59
  • 2
    The [servlet spec](http://jcp.org/aboutJava/communityprocess/final/jsr315/index.html) chapter 12.1 *"If neither of the previous three rules result in a servlet match, the container will attempt to serve content appropriate for the resource requested. If a "default" servlet is defined for the application, it will be used. Many containers provide an implicit default servlet for serving content."* and 12.2: *"A string containing only the ’/’ character indicates the "default" servlet of the application."* – BalusC May 29 '12 at 16:01