Stack Overflow
Stack Overflow

Questions tagged [security-constraint]

A security constraint define the access privileges to a collection of resources using their URL mapping.

A security constraint includes an authorization constraint that specifies whether users can access the path.

The following subelements can be part of a security-constraint:

  • Web resource collection,

    A list of URL patterns (the part of a URL after the host name and port you want to constrain) and HTTP operations (the methods within the files that match the URL pattern you want to constrain) that describe a set of resources to be protected. Web resource collections are discussed in Specifying a Web Resource Collection.

  • Authorization constraint,

    Specifies whether authentication is to be used and names the roles authorized to perform the constrained requests. For more information about authorization constraints, see Specifying an Authentication Mechanism in the Deployment Descriptor.

  • User data constraint.

    Specifies how data is protected when transported between a client and a server. User data constraints are discussed in Specifying a Secure Connection.

Read more at: Specifying Security Constraints at Oracle site.

87 questions
4
votes
1 answer

Multiple security-constraints: last one excluding preceding url-patterns

I need to define security-constraints for three different sections of my webapplication. One for /admin/*, one for /account/* and a tricky one. This last one should match everything except the preceding url-patterns (/* excluding /admin/* and…
Menno
  • 12,175
  • 14
  • 56
  • 88
3
votes
1 answer

tomcat security constraints

How do you negate a security constraint in tomcat? Basically, I have one security constraint defined which setup up basic authentication for the entire context. How can I exclude one file, for example, /public-available.html from this? So I have…
JustDanyul
  • 13,813
  • 7
  • 53
  • 71
3
votes
1 answer

Are there side effects of having an empty security-constraint tag in your web.xml file?

I am currently working on a prototype project that has a frontend built with Apache Wicket and uses a web.xml file. Since we are prototyping, we don't have any requirements or need to implement any security related features yet. That being said, the…
Eoin
  • 330
  • 1
  • 3
  • 15
3
votes
0 answers

How to add CorsFilter along with Security-constraints in apache tomee?

I have some RESTful web services developed in java using JAX-RS. I need to enable basic authentication on some of the methods. I am using apache tomee plume 7.0.2 as my application server. I used security-constraint tag in web.xml to secure methods.…
Navid Mojir
  • 31
  • 4
3
votes
1 answer

Web.xml security constraint on context-root doesn't apply

I have a java webapp that uses web.xml to configure its security: webPages All web resources
user1884155
  • 3,616
  • 4
  • 55
  • 108
3
votes
3 answers

Web.xml: Are url-pattern tags relative to each other?

myName /aName ... …
sixtyfootersdude
  • 25,859
  • 43
  • 145
  • 213
3
votes
3 answers

How to fix Tomcat access to the requested resouce which has been denied?

Update: The code works correctly when the element is removed completely. Can anyone explain why it doesn't work when present? I'm writing some code to practice securing a servlet in the deployment descriptor, and I'm getting the…
Jeff Levine
  • 2,083
  • 9
  • 30
  • 38
3
votes
1 answer

Welcome file ignores security constraint

my web.xml: javax.faces.PROJECT_STAGE Development
Ivan Ivanovich
  • 227
  • 1
  • 3
  • 7
2
votes
2 answers

Tomcat 7 - Multiple security-constraints not working

Running Tomcat 7, I am trying to configure the /conf/web.xml on the Tomcat server to secure some URLs with basic authentication and to provide some other URLs for public access. The tomcat-users.xml contains following role and user:
Paul Kuhn
  • 183
  • 1
  • 3
  • 9
2
votes
1 answer

How to secure the default page of Tomcat?

I want to make the default page of my Tomcat7 server private, i. e. accessible only after .htaccess password has been entered. I mean this page: For that purpose, I added: to…
Glory to Russia
  • 17,289
  • 56
  • 182
  • 325
2
votes
0 answers

security constraints using web.xml jsp outside web-inf

I have read most of the links which have helped me with the syntax for the security constraints, but somehow it does not work for me. No_Access
sivaram
  • 21
  • 1
2
votes
1 answer

How to use security constraints to redirect users to specific pages?

I have 2 groups ts_admin and ts_users. From the login page, an admin after logging in should go straight to admin view and the user to the user view. I'm not sure how to go about that, I need help. I have loaded an XML page containing security…
eldix_
  • 127
  • 4
  • 20
2
votes
1 answer

Declare security constraint on user with multiple roles inclusive

I have 2 roles. One is admin role that can see all pages. Admin Pages /*
bob-cac
  • 1,272
  • 2
  • 17
  • 35
2
votes
1 answer

Exclude url from security constraint

I have configured ADFS SAML on weblogic server and have added corresponding entry in web.xml. I want to exclude one url from authourization through ADFS SAML so i have added security constraint without auth-constraint in web.xml.So Now I am…
happy
  • 2,550
  • 17
  • 64
  • 109
2
votes
0 answers

Tomcat: define security-constraints in context.xml

Similar to Define a outside of web.xml (e.g. server-wide), I am trying to define a security-constraint outside of my application's WEB-INF/web.xml. However, unlike that question, I don't want to define it server-wide. I have…
Wisco crew
  • 1,337
  • 1
  • 17
  • 25
1
2
3 4 5 6