Servlet web.xml authentication for welcome page

Question

I have a web.xml which looks like:

<web-app>

<welcome-file-list>
   <welcome-file>index.jsp</welcome-file>
</welcome-file-list>

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Default</web-resource-name>
    <url-pattern>/</url-pattern>
  </web-resource-collection>
  <auth-constraint/>
</security-constraint>

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Index page</web-resource-name>
    <url-pattern>/index.jsp</url-pattern>
    <url-pattern>/</url-pattern>
    <http-method>GET</http-method>
    <http-method>HEAD</http-method>
  </web-resource-collection>
</security-constraint>
...

We want to deny access to resources by default, and specify the resources we want to allow access to.

If a user goes to http://localhost:8080/ they get access denied, however, if the go to http://localhost:8080/index.jsp it allows them in. Both URLs should show the same page, and both should be allowed. What am I doing wrong here?

Answer 1

I think the thing to do will be to specify /* to catch the default, and do specific patterns like /somethingElse.jsp to catch any other pages that are not index.jsp. Hopefully your top level "directory" isn't very cluttered.