I'm trying to allow everything in my web app EXCEPT /admin/* to the "flatmate" role, and of course, everything in /admin/* to the admin role. So I've got the following in my web.xml.

As I understand it, this should work, as it says here: http://www2.sys-con.com/itsg/virtualcd/java/archives/0704/mccay/index.html

Because "Prefix matches take precedence over shorter prefix matches".

So the /admin/* match should take precedence over the /* match.

However if I login as someone with the "flatmate" role, but no admin role, they can get access to the /admin/ functions.

  <security-constraint>

    <web-resource-collection>

       <web-resource-name>admin-resources</web-resource-name>

       <description>Administrators</description>

       <url-pattern>/admin/*</url-pattern>

    </web-resource-collection>

    <auth-constraint>

       <description>These roles are allowed access</description>

       <role-name>admin</role-name>

    </auth-constraint>

  </security-constraint>

 

  <security-constraint>

    <web-resource-collection>

       <web-resource-name>common-resources</web-resource-name>

       <description>Common Resources</description>

       <url-pattern>/*</url-pattern>

    </web-resource-collection>

    <auth-constraint>

       <description>These roles are allowed access</description>

       <role-name>flatmate</role-name>

       <role-name>admin</role-name>

    </auth-constraint>

  </security-constraint>