This week's book giveaway is in the Jython/Python forum.
We're giving away four copies of Hands On Software Engineering with Python and have Brian Allbey on-line!
See this thread for details.
Win a copy of Hands On Software Engineering with Python this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Bear Bibeault
  • Knute Snortum
  • Liutauras Vilda
Sheriffs:
  • Tim Cooke
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Tim Moores
  • Frits Walraven
  • Ron McLeod
  • Ganesh Patekar
  • salvin francis
Bartenders:
  • Tim Holloway
  • Carey Brown
  • Stephan van Hulst

about <url-pattern>/</url-pattern>  RSS feed

 
Ranch Hand
Posts: 1709
12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, in <web-resource-collection>, there is an element <url-pattern>.There is an example from the J2EE tutorial at https://docs.oracle.com/javaee/6/tutorial/doc/gmmku.html,


If you want to extend these exclusions to the unconstrained parts of your application, also include the URL pattern / (forward slash):
<security-constraint>
   <display-name>Deny all HTTP methods except GET and POST</display-name>
   <web-resource-collection>
       <url-pattern>/company/*</url-pattern>
       <url-pattern>/</url-pattern>
       <http-method-omission>GET</http-method-omission>
       <http-method-omission>POST</http-method-omission>
   </web-resource-collection>
   <auth-constraint/>
</security-constraint>



What does the <url-pattern>/</url-pattern> mean ? Some article says if nothing (url-pattern) else is a match,  then consider the security-constraint with <url-pattern>/</url-pattern>.
But I am not sure if that is true or not.

 
Bartender
Posts: 20107
101
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"/" is the root of the web application. That is. it's the resource referenced in something like http://www.coderanch.com/forums/ if "/forums" is the URL context for the (hypothetical) "forums" webapp.

In J(2)EE, the root is resolved by looking at web.xml for the <welcome-page> element. If one is found, then that resource (for example, "/index.jsp") is returned.

That points out a very important distinction. J2EE container security does not protect resources, it protects URLs. If more than one URL pattern can return the same webapp resource and one is secured and one is not, you can obtain the "secured" resource by using the insecure URL.

That's the case in JavaServer Faces, where the URL lags behind the resource, since the URL is more like a session handle than a true resource locator in JSF. The JSF "redirect" feature eliminates that lag so that secured resources can stay secured.
 
Story like this gets better after being told a few times. Or maybe it's just a tiny ad:
RavenDB is an Open Source NoSQL Database that’s fully transactional (ACID) across your database
https://coderanch.com/t/704633/RavenDB-Open-Source-NoSQL-Database
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!