security constraints url mapping in web.xml

sbrunot May 28, 2004 7:30 AM

The servlet 2.3 spec specifies that, when multiple <security-constraint> tags are defined in web.xml, the following rules apply to match incoming request to the URL defined for the web resource collections :

1. The container will try to find an exact match of the path of the request to the path of the servlet. A successful match selects the servlet.
2. The container will recursively try to match the longest path-prefix: This is done by stepping down the path tree a directory at a time, using the ’/’ character as a path separator. The longest match determines the servlet selected.
3. If the last segment in the URL path contains an extension (e.g. .jsp), the servlet container will try to match a servlet that handles requests for the extension. An extension is defined as the part of the last segment after the last ’.’ character.
4. If neither of the previous three rules result in a servlet match, the container will attempt to serve content appropriate for the resource requested. If a "default" servlet is defined for the application, it will be used.

In Jboss 3.2.3, it seems that the first url-pattern that match the incoming request (in the order the web resource collections are declared in web.xml) is used...

1. Re: security constraints url mapping in web.xml

starksm64 May 28, 2004 9:56 AM (in response to sbrunot)

So provide an example that illustrates this is not being done.
Actions