url-pattern for security-constraint not working

Question

I've defined two roles - user

    <security-role>
     <role-name>User</role-name>
    </security-role>

and administrator

    <security-role>
      <role-name>Admin</role-name>
    </security-role>

in my web.xml.

Problem 1 -

I want the application to be accessed by users only if they have either of these two roles (there may be more roles added in the future, so I haven't used a * role pattern)

<security-constraint id ="FullAccess">
    <web-resource-collection>
      <web-resource-name>CPDC Application</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>Admin</role-name>
      <role-name>User</role-name>
    </auth-constraint>
  </security-constraint>

This does not work if there are two roles in . Removing one of the roles causes it to work as expected. What if I want two roles to have access to this resource?

Problem 2 -

Now, I also want only users with the Admin role to be able to access all resources down from adminresource/

 <security-constraint id="AdminAccess">
  <web-resource-collection>
    <web-resource-name>Admin resources</web-resource-name>
    <url-pattern>/appname/servlet.svc/adminresource/*</url-pattern>  
  </web-resource-collection>
  <auth-constraint>
     <role-name>Admin</role-name>
  </auth-constraint> 
</security-constraint>

This constraint does not work, and even someone with a User role is able to access urls of the form https://localhost:8080/appname/servlet.svc/adminresrouce/test

Could someone please help?

Answer 1

This looks like you have included the context root /appname of your application:

 <url-pattern>/appname/servlet.svc/adminresource/*</url-pattern>

That does not belong in any url-pattern as they are all relative to the context root.