Web.xml: Are url-pattern tags relative to each other?
<servlet-mapping>
<servlet-name>myName</servlet-name>
<url-pattern>/aName</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
...
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
...
</security-constraint>
This is an excerpt from web.xml (using it to configure a jboss/tomcat webservice). Just wondering if the url-pattern
in web-resou开发者_运维知识库rce-collection
is relative to the url-pattern
in servlet-mapping
.
The url-pattern
used to select the constraints for a given request are not relative to anything. The interesting parts of the Servlet spec here are:
SRV.12.8.3 Processing Requests
When a Servlet container receives a request, it shall use the algorithm described in SRV.11.1 to select the constraints (if any) defined on the
url-pattern
that is the best match to the request URI. If no constraints are selected, the container shall accept the request. Otherwise the container shall determine if the HTTP method of the request is constrained at the selected pattern. If it is not, the request shall be accepted. Otherwise, the request must satisfy the constraints that apply to thehttp-method
at theurl-pattern
. Both of the following rules must be satisfied for the request to be accepted and dispatched to the associated servlet.
And:
SRV.11.1 Use of URL Paths
Upon receipt of a client request, the Web container determines the Web application to which to forward it. The Web application selected must have the longest context path that matches the start of the request URL. The matched part of the URL is the context path when mapping to servlets.
The Web container next must locate the servlet to process the request using the path mapping procedure described below.
The path used for mapping to a servlet is the request URL from the request object minus the context path and the path parameters. The URL path mapping rules below are used in order. The first successful match is used with no further matches attempted:
- The container will try to find an exact match of the path of the request to the path of the servlet. A successful match selects the servlet.
- The container will recursively try to match the longest path-prefix. This is done by stepping down the path tree a directory at a time, using the ’/’ character as a path separator. The longest match determines the servlet selected.
- If the last segment in the URL path contains an extension (e.g. .jsp), the servlet container will try to match a servlet that handles requests for the extension. An extension is defined as the part of the last segment after the last ’.’ char- acter.
- If neither of the previous three rules result in a servlet match, the container will attempt to serve content appropriate for the resource requested. If a "default" servlet is defined for the application, it will be used.
SRV.11.2 Specification of Mappings
In the Web application deployment descriptor, the following syntax is used to define mappings:
- A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
- A string beginning with a ‘*.’ prefix is used as an extension mapping.
- A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null.
- All other strings are used for exact matches only.
It would make sense to me that the security-constraint/web-resource-collection/url-pattern is not relative to the servlet-mapping/url-pattern, for the following reason: there can be several servlet-mapping elements in web.xml, in which case it would not be clear which servlet-mapping/url-pattern to take to resolve the relative URI, were it one. (Just a guess - I have not used security constraints in tomcat yet).
No, they are not relative to each other; there is no way to bind a given servlet-mapping to a security-constraint. Both are applied to a given URL pattern, security constraint can also be applied only to specific HTTP methods (GET, POST, ...) so they are quite independent.
Both elements are defined and described in the Servlet specification. You might want to read sections SRV.12.8 about security, and details about the url-pattern element.
精彩评论