<servlet-mapping>
<servlet-name>myName</servlet-name>
<url-pattern>/aName</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
...
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
...
</security-constraint>
This is an excerpt from web.xml (using it to configure a jboss/tomcat webservice). Just wondering if the url-pattern
in web-resource-collection
is relative to the url-pattern
in servlet-mapping
.
The url-pattern
used to select the constraints for a given request are not relative to anything. The interesting parts of the Servlet spec here are:
SRV.12.8.3 Processing Requests
When a Servlet container receives a
request, it shall use the algorithm
described in SRV.11.1 to select the
constraints (if any) defined on the
url-pattern
that is the best match to
the request URI. If no constraints are
selected, the container shall accept
the request. Otherwise the container
shall determine if the HTTP method of
the request is constrained at the
selected pattern. If it is not, the
request shall be accepted. Otherwise,
the request must satisfy the
constraints that apply to the http-method
at the url-pattern
. Both of the
following rules must be satisfied for
the request to be accepted and
dispatched to the associated servlet.
And:
SRV.11.1 Use of URL Paths
Upon receipt of a client request, the Web container determines the Web application
to which to forward it. The Web application selected must have the longest
context path that matches the start of the request URL. The matched part of the URL
is the context path when mapping to servlets.
The Web container next must locate the servlet to process the request using
the path mapping procedure described below.
The path used for mapping to a servlet is the request URL from the request
object minus the context path and the path parameters. The URL path mapping
rules below are used in order. The first successful match is used with no further
matches attempted:
- The container will try to find an exact match of the path of the request to the
path of the servlet. A successful match selects the servlet.
- The container will recursively try to match the longest path-prefix. This is done
by stepping down the path tree a directory at a time, using the ’/’ character as
a path separator. The longest match determines the servlet selected.
- If the last segment in the URL path contains an extension (e.g. .jsp), the servlet container will try to match a servlet that handles requests for the extension.
An extension is defined as the part of the last segment after the last ’.’ char-
acter.
- If neither of the previous three rules result in a servlet match, the container will
attempt to serve content appropriate for the resource requested. If a "default"
servlet is defined for the application, it will be used.
SRV.11.2 Specification of Mappings
In the Web application deployment descriptor, the following syntax is used to define
mappings:
- A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used
for path mapping.
- A string beginning with a ‘*.’ prefix is used as an extension mapping.
- A string containing only the ’/’ character indicates the "default" servlet of
the application. In this case the servlet path is the request URI minus the context path and the path info is null.
- All other strings are used for exact matches only.
It would make sense to me that the security-constraint/web-resource-collection/url-pattern is not relative to the servlet-mapping/url-pattern, for the following reason: there can be several servlet-mapping elements in web.xml, in which case it would not be clear which servlet-mapping/url-pattern to take to resolve the relative URI, were it one.
(Just a guess - I have not used security constraints in tomcat yet).
No, they are not relative to each other; there is no way to bind a given servlet-mapping to a security-constraint. Both are applied to a given URL pattern, security constraint can also be applied only to specific HTTP methods (GET, POST, ...) so they are quite independent.
Both elements are defined and described in the Servlet specification. You might want to read sections SRV.12.8 about security, and details about the url-pattern element.