I'm trying to allow everything in my web app EXCEPT /admin/* to the "flatmate" role, and of course, everything in /admin/* to the admin role. So I've got the following in my web.xml.
As I understand it, this should work, as it says here: http://www2.sys-con.com/itsg/virtualcd/java/archives/0704/mccay/index.html
Because "Prefix matches take precedence over shorter prefix matches".
So the /admin/* match should take precedence over the /* match.
However if I login as someone with the "flatmate" role, but no admin role, they can get access to the /admin/ functions.
<security-constraint>
<web-resource-collection>
<web-resource-name>admin-resources</web-resource-name>
<description>Administrators</description>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>These roles are allowed access</description>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>common-resources</web-resource-name>
<description>Common Resources</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>These roles are allowed access</description>
<role-name>flatmate</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>