Search code examples
xmltomcatjbossweb.xmlsecurity-constraint

Web.xml: Are url-pattern tags relative to each other?

   <servlet-mapping>
      <servlet-name>myName</servlet-name>
      <url-pattern>/aName</url-pattern>
   </servlet-mapping>

    <security-constraint>

            <web-resource-collection>

                    ...

                    <url-pattern>
                            /*
                    </url-pattern>

            </web-resource-collection>

             ...

    </security-constraint>

This is an excerpt from web.xml (using it to configure a jboss/tomcat webservice). Just wondering if the url-pattern in web-resource-collection is relative to the url-pattern in servlet-mapping.

Solution

  • The url-pattern used to select the constraints for a given request are not relative to anything. The interesting parts of the Servlet spec here are:

    SRV.12.8.3 Processing Requests

    When a Servlet container receives a request, it shall use the algorithm described in SRV.11.1 to select the constraints (if any) defined on the url-pattern that is the best match to the request URI. If no constraints are selected, the container shall accept the request. Otherwise the container shall determine if the HTTP method of the request is constrained at the selected pattern. If it is not, the request shall be accepted. Otherwise, the request must satisfy the constraints that apply to the http-method at the url-pattern. Both of the following rules must be satisfied for the request to be accepted and dispatched to the associated servlet.

    And:

    SRV.11.1 Use of URL Paths

    Upon receipt of a client request, the Web container determines the Web application to which to forward it. The Web application selected must have the longest context path that matches the start of the request URL. The matched part of the URL is the context path when mapping to servlets.

    The Web container next must locate the servlet to process the request using the path mapping procedure described below.

    The path used for mapping to a servlet is the request URL from the request object minus the context path and the path parameters. The URL path mapping rules below are used in order. The first successful match is used with no further matches attempted:

    1. The container will try to find an exact match of the path of the request to the path of the servlet. A successful match selects the servlet.
    2. The container will recursively try to match the longest path-prefix. This is done by stepping down the path tree a directory at a time, using the ’/’ character as a path separator. The longest match determines the servlet selected.
    3. If the last segment in the URL path contains an extension (e.g. .jsp), the servlet container will try to match a servlet that handles requests for the extension. An extension is defined as the part of the last segment after the last ’.’ char- acter.
    4. If neither of the previous three rules result in a servlet match, the container will attempt to serve content appropriate for the resource requested. If a "default" servlet is defined for the application, it will be used.

    SRV.11.2 Specification of Mappings

    In the Web application deployment descriptor, the following syntax is used to define mappings:

    • A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
    • A string beginning with a ‘*.’ prefix is used as an extension mapping.
    • A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null.
    • All other strings are used for exact matches only.