Picky <security-constraint> rules for <auth-constraint> sub-elements

Even though it’s got constraint in its name, this is the sub-element that specifies which roles are ALLOWED to access the web resources specified by the <web-resource-collection> sub-element(s).

The <auth-constraint> sub-element of <security-constraint>

image with no caption

<role-name> rules

  • Within an <auth-constraint> element, the <role-name> element is OPTIONAL.

  • If <role-name> elements exist, they tell the Container which roles are ALLOWED.

  • If an <auth-constraint> element exists with NO <role-name> element, then NO USERS ARE ALLOWED.

  • If <role-name>*</role-name> then ALL users are ALLOWED.

  • Role names are case-sensitive.

<auth-constraint> rules

  • Within a <security-constraint> element, the <auth-constraint> element is OPTIONAL.

  • If an <auth-constraint> exists, the Container MUST perform authentication for the associated URLs.

  • If an <auth-constraint> does NOT exist, the Container MUST allow unauthenticated access for these URLs.

  • For readability, you can add a <description> inside <auth-constraint>.

Get Head First Servlets and JSP, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial