Showing posts from April 2, 2015

How Java EE translates web.xml constraints to Permission instances

It's a well known fact that in Java EE security one can specify security constraints in web.xml . It's perhaps a little lesser known fact that in full profile Java EE servers those constraints are translated by the container to instances of the Permission class. The specifications responsible for this are Servlet and JACC. This article shows a simple example of what this translation looks like. Web.xml constraints We're putting the following constraints in web.xml : <security-constraint> <web-resource-collection> <web-resource-name>Forbidden Pattern</web-resource-name> <url-pattern>/forbidden/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Protected Pattern</web-resource-name> <url-pattern>/protected/*</url-pattern> </w