1

A "/" when comes to servlet mapping means default servlet. How do you interpret this when comes to a URL pattern embedded inside a web-resource-collection element as below: 

<security-constraint>
    <web-resource-collection>
        <web-resource-name>fixmyhome</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

What about "/*'? This URL pattern is not a servlet mapping since it's enclosed by tag web-resource-collection.

I also noticed using http://localhost:8081/fixmyhome/main.jsp using both URL pattern "/" and "/*" gives the same results- which is it gives me the main.jsp page. I thought "/" might not work since there's no wildcard.

Mike Samuel
  • 118,113
  • 30
  • 216
  • 245
yapkm01
  • 3,590
  • 7
  • 37
  • 62
  • In the context of a `security-constraint` that is a regular expression, and not necessarily applied to a mapping. – Elliott Frisch Mar 10 '15 at 19:47
  • Actually it's not a regexp, something more like a simple pattern with wildcards, see: http://stackoverflow.com/questions/8570805/can-we-use-regular-expressions-in-web-xml-url-patterns – buftlica Mar 10 '15 at 20:06
  • Not sure but I would say that according to [this](http://docs.oracle.com/javaee/6/tutorial/doc/gmmku.html) it is similar to /*. Also, see the general part of the servlet spec for url mappings [here](http://stackoverflow.com/a/23705891/1514241). – buftlica Mar 10 '15 at 20:21
  • @MatkoMedenjak Thanks. I read the link you gave. All it says for "/" pattern is that it is the weakest pattern. I see don't see the why "/" and '/*' works for the above example. – yapkm01 Mar 14 '15 at 19:01

4 Answers4

1

The <url-pattern> is looking for an Ant pattern. The patterns available are ?, *, and **; which match 1 character, 0 or more characters, and 0 or more directories respectively.

In your case of http://localhost:8081/fixmyhome/main.jsp, both / and /* are working the same because the * is not a requirement for their to be a character.

If you have a resources directory in your root, I would imagine your <url-pattern> would looks something like this: <url-pattern>/resources/**</url-pattern>, thereby allowing you access to all sub-directories of the resources directory.

This may help provide some more clarity: https://ant.apache.org/manual/dirtasks.html

Nick Cromwell
  • 254
  • 2
  • 5
0

According to this I would say that by writing / you are restricting access to the servlet while by writing /* you are restricting access to a certain path. So essentially "/" and "/*" would be the same.

Community
  • 1
  • 1
buftlica
  • 245
  • 1
  • 8
0

The url pattern under security constraint does not belong to any mapping for servlet instead it is a regular expression. With the security constraint you can allow/restrict users with the mentioned role (in auth-constraint) for the given URL pattern.

Charu Makhijani
  • 1
  • 1
  • I do agree with you this is just a regular expression. However if so why "/" and "/*" gives the same output for the above example? – yapkm01 Mar 14 '15 at 19:05
0

Section 12.2 of servlet specification (version 3) states following:

  • A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
  • A string beginning with a ‘*.’ prefix is used as an extension mapping.
  • The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e.,requests of the form http://host:port/contextroot/. In this case the path info is ’/’ and the servlet path and context path is empty string (““).

  • A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path
    is the request URI minus the context path and the path info is null.

  • All other strings are used for exact matches only

Sandeep
  • 1,154
  • 10
  • 16