• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
Sheriffs:
  • Devaka Cooray
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Tim Holloway
  • Claude Moore
  • Stephan van Hulst
Bartenders:
  • Winston Gutkowski
  • Carey Brown
  • Frits Walraven

about <url-pattern>/</url-pattern>  RSS feed

 
Ranch Hand
Posts: 1723
12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, in <web-resource-collection>, there is an element <url-pattern>.There is an example from the J2EE tutorial at https://docs.oracle.com/javaee/6/tutorial/doc/gmmku.html,


If you want to extend these exclusions to the unconstrained parts of your application, also include the URL pattern / (forward slash):
<security-constraint>
   <display-name>Deny all HTTP methods except GET and POST</display-name>
   <web-resource-collection>
       <url-pattern>/company/*</url-pattern>
       <url-pattern>/</url-pattern>
       <http-method-omission>GET</http-method-omission>
       <http-method-omission>POST</http-method-omission>
   </web-resource-collection>
   <auth-constraint/>
</security-constraint>



What does the <url-pattern>/</url-pattern> mean ? Some article says if nothing (url-pattern) else is a match,  then consider the security-constraint with <url-pattern>/</url-pattern>.
But I am not sure if that is true or not.

 
Saloon Keeper
Posts: 20510
115
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"/" is the root of the web application. That is. it's the resource referenced in something like http://www.coderanch.com/forums/ if "/forums" is the URL context for the (hypothetical) "forums" webapp.

In J(2)EE, the root is resolved by looking at web.xml for the <welcome-page> element. If one is found, then that resource (for example, "/index.jsp") is returned.

That points out a very important distinction. J2EE container security does not protect resources, it protects URLs. If more than one URL pattern can return the same webapp resource and one is secured and one is not, you can obtain the "secured" resource by using the insecure URL.

That's the case in JavaServer Faces, where the URL lags behind the resource, since the URL is more like a session handle than a true resource locator in JSF. The JSF "redirect" feature eliminates that lag so that secured resources can stay secured.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!