1

i want some of my pages to be opened securely. most of those pages are started with the name "my_Account_"

as example one of those page is "my_account_add_credit_card.xhtml"

in order to do this i have put below code in to web.xml

<security-constraint>
    <web-resource-collection>           
        <web-resource-name>my account</web-resource-name>
        <description>my account</description>
        <url-pattern>/my_account_*</url-pattern>
    </web-resource-collection>  
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

but it did not work. i also changed the URL patterns like below

<url-pattern>/*</url-pattern>

then it worked but the problem is that this will open the every page in HTTPS, i don't want it to be open all the pages in HTTPS. i only need to open the pages which are starts with "my_account_"

im using glassfish

user2567005
  • 271
  • 1
  • 13
  • 27

1 Answers1

1

tldr; According to specs, your <url-pattern> does not do what you expect it to do. See below for possible solutions.

In Servlet 3.0 spec, section 13.8.3 Processing requests (under the "Security" chapter), it describes how the security constraints for a request are selected:

When a Servlet container receives a request, it shall use the algorithm described in “Use of URL Paths” on page 95 to select the constraints (if any) defined on the urlpattern that is the best match to the request URI.

The section pointed by the above describes how URLs are matched. Specifically in section 12.2 however, the mappings are specified:

  • A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
  • A string beginning with a ‘*.’ prefix is used as an extension mapping.
  • A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null.
  • All other strings are used for exact matches only.

According to this your mapping of /my_account_* falls in the LAST category (it does not end with /* to fall in the first). This is why the mapping is not working.

What can you do?

  1. I would suggest changing you directory layout and instead of (e.g.)

    /my_account_file1.jsp
/my_account_file2.jsp

    Make a directory and put those files inside:

    /my_account/
    file1.jsp
    file2.jsp

    And the mapping should become:

    <url-pattern>/my_account/*</url-pattern>

  2. You can use a 3rd party security library, like Spring Security, Apache Shiro or JBoss Picketlink.

  3. You can add a filter to /* and programmatically enforce security (NO, DON'T DO IT YOURSELF, SEE POINT 2, INCLUDED HERE JUST FOR THE SAKE OF COMPLETENESS). Similar approaches can be accomplished using servlets, but I recommend AGAINST this.

Nikos Paraskevopoulos
  • 39,514
  • 12
  • 85
  • 90