** not working in web.xml security-contraints

问题

I want to have unrestricted access for /gadgets/{any directory}/css/*. I tried to mention like this

<security-constraint>
  <web-resource-collection>
    <web-resource-name>UnProtected Area</web-resource-name>
    <url-pattern>/gadgets/**/css/*</url-pattern>
  </web-resource-collection>
</security-constraint>

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>
    <url-pattern>/gadgets/*</url-pattern>
  </web-resource-collection>
   <auth-constraint>
     <role-name>LOGIN</role-name>
   </auth-constraint>
</security-constraint>

But it is not working.

回答1:

The pattern you are trying to use is not supported by the servlet specification (downloadable here):

In the Web application deployment descriptor, the following syntax is used to define mappings:

• A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
• A string beginning with a ‘*.’ prefix is used as an extension mapping.
• The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form http://host:port//. In this case the path info is ’/’ and the servlet path and context path is empty string (““).
• A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null.
• All other strings are used for exact matches only

Accordingly, if you need to match all CSS files, your should be able to specify it as an extension mapping:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Unprotected Area</web-resource-name>
    <url-pattern>*.css</url-pattern>
  </web-resource-collection>
</security-constraint>

回答2:

i got the same Problem. My *.css and *.js Files are located in WebRoot/resources/css and in WebRoot/resources/script. To access those files I added the line <mvc:resources mapping="/resources/**" location="/resources/" /> to my "*-servlet.xml".
Now I allowed access for all user-roles by adding following code to my web.xml as the last security-constraint:
<security-constraint> <web-resource-collection> <web-resource-name>CSS and JS Files</web-resource-name> <url-pattern>/resources/*</url-pattern> </web-resource-collection> </security-constraint>
I hope this helps.

来源：https://stackoverflow.com/questions/36026023/not-working-in-web-xml-security-contraints