; the default is all methods), and an optional description
element that provides documentation. For example, the following
web-resource-collection entry (within a security-constraint element)
designates that all documents in the proprietary directory of the Web
application should be protected.
Proprietary
/proprietary/*
It is important to note that the url-pattern applies only to clients that
access the resources directly. In particular, it does not apply to pages that are
accessed through the MVC architecture with a RequestDispatcher or by
the similar means of jsp:forward. This asymmetry is good if used properly.
For example, with the MVC architecture a servlet looks up data, places it in
beans, and forwards the request to a JSP page that extracts the data from the
beans and displays it. You want to ensure that the JSP page is never accessed
directly but instead is accessed only through the servlet that sets up the beans
the page will use. The url-pattern and auth-constraint (see next subsection)
elements can provide this guarantee by declaring that no user is permitted
direct access to the JSP page. However, this asymmetric behavior can
catch developers off guard and allow them to accidentally provide unrestricted
access to resources that should be protected.
Pages:
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121