I can restrict access to web application through defining (among other things) security-constraint in web.xml. Each security-constraint consist of 1) <web-resource-collection> which contains a set of restricted resources, and 2) <auth-constraint> which contains a set of authorized users (security roles) which can access web-resource-collection defined in this constraint .
So I think I can do either in each constraint a) define single resource (address) and a set of authorized users or b) define a set of resources (addresses) and a single authorized user.
Am I right? What my approach should be.
I for example defined constrains like this:
<security-constraint>
<display-name>ConstraintAdminUser</display-name>
<web-resource-collection>
<web-resource-name>adminResources</web-resource-name>
<url-pattern>/protected/admin/*</url-pattern>
<url-pattern>/protected/main/*</url-pattern>
<url-pattern>/protected/user/*</url-pattern>
<url-pattern>/protected/lang/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>AdminUserRole</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>ConstraintUserOnly</display-name>
<web-resource-collection>
<web-resource-name>userResources</web-resource-name>
<url-pattern>/protected/main/*</url-pattern>
<url-pattern>/protected/user/*</url-pattern>
<url-pattern>/protected/lang/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>UserOnlyRole</role-name>
</auth-constraint>
</security-constraint>
But I don't know if it is a "right way" to do :)