0

I am testing security constraints for certain URLs. I feel url pattern is acting weird. I want access restricted whatever comes after ServletSecurityTest(webapproot)/. But, after deploying war file in websphere, even ServletSecurityTest(webapproot) itself is restricted. why ?

For example:

I wanted this http//ravi-pc:9080/ServletSecurityTest/testSecurity.do to be restricted. That is alright. But even http//ravi-pc:9080/ServletSecurityTest is restricted. why ?

Any ideas ?

web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Servlet Security Resources</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Administrator</role-name>
    </auth-constraint>

</security-constraint>

<security-role>
    <role-name>Administrator</role-name>
</security-role>

Servlet

@WebServlet(name="SecurityTestServlet", urlPatterns={"/testSecurity.do"})
public class SecurityTestServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        response.getWriter().write("Only Administrators can see this...");

    }

}
Ravi Trivedi
  • 2,340
  • 2
  • 14
  • 20

2 Answers2

1

<url-pattern>/*</url-pattern> Means all the URLs after the /.

/testSecurity.do and /testSecurity both fall under the pattern you have specified.

Try <url-pattern>/*.do</url-pattern> and see.

Thihara
  • 7,031
  • 2
  • 29
  • 56
  • I think you misunderstood my Q. My Q is why my web app root folder is also restricted, which is `http//ravi-pc:9080/ServletSecurityTest` – Ravi Trivedi Apr 29 '13 at 04:24
  • / means root web app location. So anything after that is also effected. Check the servlet specification for the exact spec info. http://jcp.org/aboutJava/communityprocess/final/jsr315/ – Thihara Apr 29 '13 at 04:32
0

By mentioning <url-pattern>/*</url-pattern> you ensured that root folder is also secured. I faced similar issue, and resolved this my changing folder structure as below.

<security-constraint>
     <web-resource-collection>
         <web-resource-name>Servlet Security Resources</web-resource-name>
         <url-pattern>/ServletSecurityTest/*</url-pattern>
         <url-pattern>/auth/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
         <role-name>Administrator</role-name>
     </auth-constraint>

All authentication contents are moved to auth folder or create role based folders and provide different access to these folders.

ad-inf
  • 1,520
  • 4
  • 30
  • 53