tags:

views:

260

answers:

2
+1  Q: 

url-pattern and wildcards

While configuring the security constraints for a web-module's roles in J2EE application I'm having the following problem:

Application:

Giving a servlet named customersServlet, which receives two parameters in the URL:

  • A string representing an operation (INS, UPD, DLT and DSP).
  • An identification number to identify a customer on which the operation will be performed.

E.G.: the url /servlet/cusotmersServlet?UPD,5 is used to update customer number 5 data, and the usl /servlet/customersServlet?DLT,8 is used to delete customer number 8.

Problem:

If I use this security-constraint the servlet can only be accessed by the role specified, which is ok:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>...</web-resource-name>
        <url-pattern>/servlet/clientsServlet*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>clientAdmin</role-name>
    </auth-constraint>
</security-constraint>

But I want to restrict the ability to insert customers only to a role named clientAdmin.

I've tried several url patterns but none of them works as I want (all of them allow every role to access the servlet with any parameter):

<url-pattern>/servlet/clientsServlet?INS,*</url-pattern>
<url-pattern>/servlet/clientsServlet?INS/*</url-pattern>
...

How to use the wildcard * in the url-pattern tag?

Note: The application cannot be changed, so I need a solution that only implies touching the deployment descriptor.

+4  A: 

The <url-pattern> tag only allows a very restricted subset of wildcards. This is probably not what you are used to from other situations, where a * can be used at any position. You can download the Servlet specification here:

http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html

Section SRV.11.2 of that document describes how these URL patterns are interpreted. In particular, the * does not mean "zero or more arbitrary characters" here.

Roland Illig  2010-05-04 20:01:45
+1  A: 

Note: The application cannot be changed, so I need a solution that only implies touching the deployment descriptor.

Not sure if this counts as an application change - perhaps you could think of it as a plug-in. You could add a Filter. This would require the ability to add a new JAR to WEB-INF/libs and the ability to define the filter in web.xml. The Filter would allow you to restrict access programmatically.

McDowell  2010-05-05 07:39:31
Thanks, I'll see if I can do that, it's a good idea.
Toto  2010-05-07 14:31:05

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java