The <security-constraint> rules for <web-resource-collection> elements

Remember; the purpose of the <web-resource-collection> sub-element is to tell the container which resources and HTTP Method combinations should be constrained in such a way that they can be accessed only by the roles in the corresponding <auth-constraint> tag. We wish we could tell you to relax here, but you really do need to know the details of these elements. If you make one little mistake in the security part of your DD, you could leave the most sensitive parts of your app open to... everyone.

Key points about <web-resource-collection>

The <web-resource-collection> element has two primary sub-elements: <url-pattern> (one or more) <http-method> (optional, zero or more).
The URL patterns and HTTP Methods together define resource requests that are constrained to be accessible by only those roles defined in <auth-constraint>.
A <web-resource-name> element is MANDATORY (even though you probably won’t use it for anything yourself). (Assume it’s for IDE or future use.)
A <description> element is OPTIONAL.
The <url-pattern> element uses servlet standard naming and mapping rules (refer back to the deployment chapter for details on URL patterns).
You must specify at least one <url-pattern>, but you can have many.
Valid Methods for the <http-method> element are: GET, POST, PUT, TRACE, DELETE, HEAD, and OPTIONS.
If no HTTP Methods are specified then
ALL Methods will be constrained (which means they can be accessed only by the roles ...

Get Head First Servlets and JSP, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Head First Servlets and JSP, 2nd Edition by Kathy Sierra, Bryan Basham, Bert Bates

The <security-constraint> rules for <web-resource-collection> elements

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly