Java Reference
In-Depth Information
tion, you must specify a URL pattern you want to secure. In our example, we use the
<url-
pattern>
element to specify that we want to secure the
/services/customers
URL. The
<http-method>
element says that we only want to secure POST requests to this URL. If we
leave out the
<http-method>
element, all HTTP methods are secured. In our example, we
only want to secure POST requests, so we must define the
<http-method>
element.
Next, we have to specify which roles are allowed to POST to
/services/customers
. In the
web.xml
file example, we define an
<auth-constraint>
element within a
<security-con-
straint>
. This element has one or more
<role-name>
elements that define which roles are
allowed to access the defined constraint. In our example, applying this XML only gives the
admin
role permission to access the
/services/customers
URL.
If you set a
<role-name>
of
*
instead, any user would be able to access the constrained
URL. Authentication with a valid user would still be required, though. In other words, a
<role-name>
of
*
means anybody who is able to log in can access the resource.
Finally, there's an additional bit of syntactic sugar we need to specify in
web.xml
. For every
<role-name>
we use in our
<auth-constraints>
declarations, we must define a corres-
ponding
<security-role>
in the deployment descriptor.
There is a minor limitation when you're declaring
<security-constraints>
for JAX-RS
resources. The
<url-pattern>
element does not have as rich an expression syntax as JAX-
RS
@Path
annotation values. In fact, it is extremely limited. It supports only simple wildcard
matches via the
*
character. No regular expressions are supported. For example:
▪ /*
▪ /foo/*
▪ *.txt
The wildcard pattern can only be used at the end of a URL pattern or to match file exten-
sions. When used at the end of a URL pattern, the wildcard matches every character in the
incoming URL. For example,
/foo/*
would match any URL that starts with
/foo
. To match
file extensions, you use the format
*.
<suffix>
. For example, the
*.txt
pattern matches any
URL that ends with
.txt
. No other uses of the wildcard character are permitted in URL pat-
terns. For example, here are some illegal expressions:
▪ /foo/*/bar
▪ /foo/*.txt