Home/ Questions/Q 9011783
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T02:49:45+00:00

I’m an admin used to the old-school way of defining servlets/mappings, i.e. in web.xml.

  • 0

I’m an admin used to the old-school way of defining servlets/mappings, i.e. in web.xml.

Servlet 3.0 is great, and the @WebServlet annotation sure is nifty, if you’re a developer.

The problem is, as an admin, what if I’m managing a webapp that contains lots of different utility servlets (servlets.jar) defined by annotations, and not all of them are appropriate for each deployment? In other words, I want to either whitelist the URI mappings that are appropriate for a given deployment, or blacklist the ones that aren’t.

Without reverting to an earlier servlet spec, and ideally (though this is not off the table) without asking my developers to change the way they’re doing things.

Running JDK 1.7 Tomcat 7 if that matters.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I want to either whitelist the URI mappings that are appropriate for a given deployment, or blacklist the ones that aren’t.

    You can use a <security-constraint> with an empty <auth-constraint> to block access to the given URL pattern(s).

    <security-constraint>
    <display-name>Restrict direct access to some servlets.</display-name>
    <web-resource-collection>
        <web-resource-name>Restricted URLs</web-resource-name>
        <url-pattern>/servlet1/*</url-pattern>
        <url-pattern>/servlet2/*</url-pattern>
        <url-pattern>/servlet3/*</url-pattern>
        <!-- ... -->
    </web-resource-collection>
    <auth-constraint />
</security-constraint>
    • 0