appserver/tests/appserv-tests/devtests/security/jaccmr8/descriptor/web.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--

    Copyright (c) 2013, 2018 Oracle and/or its affiliates. All rights reserved.

    This program and the accompanying materials are made available under the
    terms of the Eclipse Public License v. 2.0, which is available at
    http://www.eclipse.org/legal/epl-2.0.

    This Source Code may also be made available under the following Secondary
    Licenses when the conditions for such availability set forth in the
    Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
    version 2 with the GNU Classpath Exception, which is available at
    https://www.gnu.org/software/classpath/license.html.

    SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0

-->

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee web-app_3_1.xsd" version="3.1">

    <display-name>jaccmr8</display-name>
    <distributable></distributable>

    <!-- Protect HTTP methods that are not stated in the security constraints -->
    <deny-uncovered-http-methods></deny-uncovered-http-methods>

    <!-- See URL patterns on @WebServlet annotation
    <servlet>
        <servlet-name>Servlet</servlet-name>
        <servlet-class>org.glassfish.jacc.test.mr8.Servlet</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>Servlet</servlet-name>
        <url-pattern>/authuser</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Servlet</servlet-name>
        <url-pattern>/anyauthuser</url-pattern>
    </servlet-mapping>
    -->

        <security-constraint>
                <web-resource-collection>
            <web-resource-name>authuser</web-resource-name>
                        <url-pattern>/authuser</url-pattern>
                        <http-method>GET</http-method>
                        <http-method>POST</http-method>
                </web-resource-collection>
                <auth-constraint>
                        <role-name>javaUsers</role-name>
                </auth-constraint>
        </security-constraint>
        <security-constraint>
                <web-resource-collection>
            <web-resource-name>anyauthuser</web-resource-name>
                        <url-pattern>/anyauthuser</url-pattern>
                        <http-method>GET</http-method>
                        <http-method>POST</http-method>
                </web-resource-collection>
                <auth-constraint>
                        <role-name>**</role-name>
                </auth-constraint>
        </security-constraint>
        <security-constraint>
                <web-resource-collection>
            <web-resource-name>star</web-resource-name>
                        <url-pattern>/star</url-pattern>
                        <http-method>GET</http-method>
                        <http-method>POST</http-method>
                </web-resource-collection>
                <!-- Will not include any authenticated user unless declared as security-role -->
                <auth-constraint>
                        <role-name>*</role-name>
                        <role-name>**</role-name>
                </auth-constraint>
        </security-constraint>
        <security-constraint>
                <web-resource-collection>
            <web-resource-name>denyuncoveredpost</web-resource-name>
                        <url-pattern>/denyuncoveredpost</url-pattern>
                        <http-method>GET</http-method>
                </web-resource-collection>
        </security-constraint>

        <security-role>
                <role-name>javaUsers</role-name>
        </security-role>
</web-app>