Security constraint in web.xml not getting applied to URL patterns having file extension

Question

I have the following security constraints entered in the web.xml. My objective is that the XML files are in the Public area. This works for the /images/* folder. However the url-pattern *.xml does not seem to work. Any ideas ?

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Public Area</web-resource-name>
            <url-pattern>/xyz</url-pattern>
            <url-pattern>/images/*</url-pattern>
            <url-pattern>/yyz/*</url-pattern>
            <url-pattern>*.xml</url-pattern>
        </web-resource-collection>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Super User Area</web-resource-name>
            <url-pattern>/test/list1</url-pattern>
            <url-pattern>/test/list2</url-pattern>
            <url-pattern>/test/list3</url-pattern>
            <url-pattern>/test/admin.html</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>SUPER_USER</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ADMIN</role-name>
            <role-name>END_USER</role-name>
        </auth-constraint>
    </security-constraint>


    <security-role>
        <description>Super User</description>
        <role-name>SUPER_USER</role-name>
    </security-role>
    <security-role>
        <description>Admin User</description>
        <role-name>ADMIN</role-name>
    </security-role>
    <security-role>
        <description>End User</description>
        <role-name>END_USER</role-name>
    </security-role>

It would help if you provided an example or two of some URLs that don't work as you expect. — Mark Thomas, Oct 18 '13 at 08:13
When I try https:///testresource.xml, the system redirects to the authentication page. — mithrandir, Oct 18 '13 at 15:51
I dont think that answers the question. The xml files are located in the web-app root. I dont have any overlapping paths as far as I can see. — mithrandir, Oct 20 '13 at 03:48
Yes you do have overlapping patterns. /testresource.xml matches /* and *./xml — Mark Thomas, Oct 20 '13 at 20:22
As per what you mentioned above, it should pick-up the more specific path i.e. *.xml right? — mithrandir, Oct 21 '13 at 03:17
Wrong. You need to read section 13.8.3 of the Servlet 3.1 specification followed by section 12.1. Earlier versions of the specification define the same rules but may use different section numbers for the relevant parts. — Mark Thomas, Oct 21 '13 at 09:59

Keerthivasan · Accepted Answer · 2013-10-18T06:29:17.133

9

One of your other URL patterns matches more than this url-pattern - *.xml requestURI, that's why it's not working. For example, if you have /test/list/user.xml, then this will be treated as a web resource collection in Super user Area and thus SUPER_USER can only have access. so, ensure that url-pattern is declared more specific to resources to avoid clashes and mis-interpretation. Thanks

edited Oct 18 '13 at 06:29

answered Oct 18 '13 at 05:03

Keerthivasan

12,760
2
32
53

Were you able to fix it? – Keerthivasan Oct 18 '13 at 12:21

score 1 · Answer 2 · answered Nov 07 '16 at 13:06

Actually, the sequence of the placement is issue, first security constraints should be the super_user, then public area security constraints. If your put the security constraint belong of public area it will be over written by followed security constraints.

Security constraint in web.xml not getting applied to URL patterns having file extension

2 Answers2

Linked