CODEWITHSUNDEEP
javajakarta-eeservletswebspheresecurity
Ravi Trivedi
Ravi Trivedi

Reputation: 2360

Security constraint <url-pattern> acting weirdly - websphere

I am testing security constraints for certain URLs. I feel url pattern is acting weird. I want access restricted whatever comes after ServletSecurityTest(webapproot)/. But, after deploying war file in websphere, even ServletSecurityTest(webapproot) itself is restricted. why ?

For example:

I wanted this http//ravi-pc:9080/ServletSecurityTest/testSecurity.do to be restricted. That is alright. But even http//ravi-pc:9080/ServletSecurityTest is restricted. why ?

Any ideas ?

web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Servlet Security Resources</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Administrator</role-name>
    </auth-constraint>

</security-constraint>

<security-role>
    <role-name>Administrator</role-name>
</security-role>

Servlet

@WebServlet(name="SecurityTestServlet", urlPatterns={"/testSecurity.do"})
public class SecurityTestServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        response.getWriter().write("Only Administrators can see this...");

    }

}

Upvotes: 0

Views: 1244

Answers (2)

ad-inf
ad-inf

Reputation: 1570

By mentioning <url-pattern>/*</url-pattern> you ensured that root folder is also secured. I faced similar issue, and resolved this my changing folder structure as below.

<security-constraint>
     <web-resource-collection>
         <web-resource-name>Servlet Security Resources</web-resource-name>
         <url-pattern>/ServletSecurityTest/*</url-pattern>
         <url-pattern>/auth/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
         <role-name>Administrator</role-name>
     </auth-constraint>

All authentication contents are moved to auth folder or create role based folders and provide different access to these folders.

Upvotes: 0

Thihara
Thihara

Reputation: 6969

<url-pattern>/*</url-pattern> Means all the URLs after the /.

/testSecurity.do and /testSecurity both fall under the pattern you have specified.

Try <url-pattern>/*.do</url-pattern> and see.

Upvotes: 1

Related Questions