Java Reference
In-Depth Information
<url-pattern>/company/*</url-pattern>
<http-method-omission>GET</http-method-omission>
<http-method-omission>POST</http-method-omission>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
If you want to extend these exclusions to the unconstrained parts of your applica-
tion, also include the URL pattern
/
(forward slash):
<!-- SECURITY CONSTRAINT #6 -->
<security-constraint>
<display-name>Deny all HTTP methods except GET and
POST</display-name>
<web-resource-collection>
<url-pattern>/company/*</url-pattern>
<url-pattern>/</url-pattern>
<http-method-omission>GET</http-method-omission>
<http-method-omission>POST</http-method-omission>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
• If, for your web application, you do not want any resource to be accessible unless
you explicitly define a constraint that permits access to it, you can define an
auth-constraint
that names no roles and associate it with the URL pattern
/
.
The URL pattern
/
is the weakest matching pattern. Do not list any HTTP methods
in this constraint.
<!-- SECURITY CONSTRAINT #7 -->
<security-constraint>
<display-name>
Switch from Constraint to Permission model
(where everything is denied by default)
</display-name>
<web-resource-collection>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>