How multiple <security-constraint> elements interact

Just when you thought you had <security-constraint> figured out, you realize that multiple <security-constraint> elements might conflict. Look at the DD fragments below, and imagine the different combinations of <auth-constraint> configurations that might be used. What happens, for example, if one <security-constraint> denies access while another <security-constraint> explicitly grants access... to the same constrained resource, for the same role? Which <security-constraint> wins? The table on the opposite page has all the answers.

Multiple <security-constraint> elements with the same (or partly-matching) URL patterns and <http-method> elements:

image with no caption

How should the container handle authorization when the same resource is used by more than one <security-constraint>?

Get Head First Servlets and JSP, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.