Skip to main content

Role "**" in Servlet 3.1 security-constraint

Posted by swchan2 on April 19, 2013 at 11:11 AM PDT

Servlet 3.1 Specification (JSR 340) and Java Authorization Contract for Containers (JSR 115) MR3 are almost ready for release. Besides "*", the role-name "**" is introduced in the above two specifications.

In a nutshell, "*" means any role defined in web.xml and "**" means any authenticated user.

Prior to Servlet 3.1, web containers use proprietary mechanisms to add security-constraints for any authenticated user. For instance, GlassFish v1 achieves this through the use of assign-groups.

Let us look at an example of how to use "**" to have a security-constraint in Servlet 3.1.
Suppose we have three servlets with a snapshot of web.xml in a web application as follows:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>forFooServlet</web-resource-name>
        <url-pattern>/foo</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>**</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>forBarServlet</web-resource-name>
        <url-pattern>/bar</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>forBazServlet</web-resource-name>
        <url-pattern>/baz</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <role-name>admin</role-name>
</security-role>

<security-role>
    <role-name>staff</role-name>
</security-role>

In this case, only "admin" and "staff" roles are defined.
Suppose we have the following security-role-mapping in glassfish-web.xml. Note that group contractor does not map to any role below.

  <security-role-mapping>
    <role-name>admin</role-name>
    <group-name>manager</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>staff</role-name>
    <group-name>staff</group-name>
  </security-role-mapping>

Suppose Alice, Bob and Carol are authenticated users for the web application. The following table summarizes the behavior of "*" and "**".

user group role /foo ("**") /bar ("*") /baz ("admin")
Alice manager admin ok ok ok
Bob staff staff ok ok deny
Carol contractor   ok deny deny

The feature "**" has been implemented in GlassFish 4.0. You can download it from here.