Closed fl4via closed 2 years ago
I think this does need to be clarified, but I think the tutorial is actually correct. My logic is:
https://jakarta.ee/specifications/servlet/5.0/jakarta-servlet-spec-5.0.html#processing-requests
This section says:
When a servlet container receives a request, it shall use the algorithm described in Section 12.1, “Use of URL Paths” to select the constraints (if any) defined on the url-pattern that is the best match to the request URI.
Now this section talks about mapping requests to servlets, but in this case we are talking about mapping requests to auth constraints. Logically this would then mean that if you had an auth-constraint with /
then this would become the default auth constraint
that would be applied if no other auth constraints match.
@gregw @markt-asf what do you guys think?
@stuartwdouglas I agree that a security constraint mapped to "/" will match any URI not matched by other constraints. Modulo methods and the complexity of uncovered methods.
As this issue is explained by the comments above, I'm closing it. Thank you @gregw and @stuartwdouglas for clarification!
Hi everyone!
When I read the spec, to me it is clear that
/
always refers to default servlet. Being that case, if I have a configuration as the one bellow, to me it would seem logic that it refers to default servlet only:While, if I used
/*
as my url-pattern, then I would be referring to all urls possible in my application:However, the Java EE Tutorial states that:
So, what exactly would a
/
url-pattern refer to? I think it might be worth adding some text to the spec (section 13.8) that makes this clear and, if the Java EE Tutorial is not entirely correct in its statement, fixing that as well. Thanks!