3 Replies Latest reply on Dec 15, 2003 1:01 PM by Wouter Zoons

    url pattern matchin in web.xml

    davehorner Newbie

      I'm using JBoss 3.2 with embedded Tomcat 4 and JAAS with a JDBC Realm and I'm trying to configure web.xml to protect specified resources.
      I have tried this: -

      security tests

      This seems to protect urls ending in aaa or ending in the literal 'bbb*' ( I get directed to my login screen ) but doesn't protect say bbb1 ( I get 'the requested resource is not available'). I really want to protect all urls starting with a specified string.
      I've tried using a patten of "/*" but that seems to leave me stuck on the login screen.
      Any help very much appreciated.

        • 1. re: url pattern matchin in web.xml
          Wouter Zoons Newbie

          for reasons of performance that's not possible, url patterns are used in filters, if they would be too complex this would impose a too high load on the server (for each request the patterns are checked)

          according to the specs you can use wildcards on directories or filenames only, or go for exact matches

          /bbb* is not aven valid, you can do <url-pattern>*.jsp</url-pattern> or <url-pattern>/my/path/*</url-pattern> but no mixing

          this annoyed to hell out of me too

          a workaround is to put your pages in specially designed directories, but I'm not sure if you want to jump through those hoops


          • 2. Re: url pattern matchin in web.xml
            davehorner Newbie

            Thanks for that Wouter,
            If I could just ask one more thing about security-constraints and web resource collections, please ?
            When I try to access a url which is in a protected resource collection in web.xml, I always get sent to my login page, even when I have already been to it before in the same session and logged in through JAAS.
            How can I prevent this happening, please ? I only want it to send me there when I haven't logged in yet.

            • 3. Re: url pattern matchin in web.xml
              Wouter Zoons Newbie

              the behavior you describe is not normal, the way you expect it to work is indeed how it should work

              for each request the security interceptor checks whether your user has been authenticated in the session (please note the session invalidates after a certain amount of inactivity)

              you should only be forwarded to your login page when the container thinks your user is not authenticated

              I never experienced what you describe, I would need more details in order to give more feedback...