tion, you must specify a URL pattern you want to secure. In our example, we use the <url-
pattern> element to specify that we want to secure the /services/customers URL. The
<http-method> element says that we only want to secure POST requests to this URL. If we
leave out the <http-method> element, all HTTP methods are secured. In our example, we
only want to secure POST requests, so we must define the <http-method> element.
Next, we have to specify which roles are allowed to POST to /services/customers . In the
web.xml file example, we define an <auth-constraint> element within a <security-con-
straint> . This element has one or more <role-name> elements that define which roles are
allowed to access the defined constraint. In our example, applying this XML only gives the
admin role permission to access the /services/customers URL.
If you set a <role-name> of * instead, any user would be able to access the constrained
URL. Authentication with a valid user would still be required, though. In other words, a
<role-name> of * means anybody who is able to log in can access the resource.
Finally, there's an additional bit of syntactic sugar we need to specify in web.xml . For every
<role-name> we use in our <auth-constraints> declarations, we must define a corres-
ponding <security-role> in the deployment descriptor.
There is a minor limitation when you're declaring <security-constraints> for JAX-RS
resources. The <url-pattern> element does not have as rich an expression syntax as JAX-
RS @Path annotation values. In fact, it is extremely limited. It supports only simple wildcard
matches via the * character. No regular expressions are supported. For example:
The wildcard pattern can only be used at the end of a URL pattern or to match file exten-
sions. When used at the end of a URL pattern, the wildcard matches every character in the
incoming URL. For example, /foo/* would match any URL that starts with /foo . To match
file extensions, you use the format *. <suffix> . For example, the *.txt pattern matches any
URL that ends with .txt . No other uses of the wildcard character are permitted in URL pat-
terns. For example, here are some illegal expressions: