Securing a servlet based on request params

Hi, using J2EE security in web.xml, can you secure a servlet based on request params?

server/app/dostuffservlet?page=Circle granted to role(s)
server/app/dostuffservlet?page=Square granted to other role(s)

Or does the dostuffservlet always have to be granted to the same role(s)?

Also, will this work if the request params are listed in a different order?

I.e. server/app/dostuffservlet?day=Monday&page=Circle

Thanks for the help.

You'd have to tell us a little more about what you mean by "Secure a servlet"

I mean, can you assign the same servlet to two different auth-constraints, like this:
<security-constraint> <display-name>CircleAuth</display-name> <web-resource-collection> <web-resource-name> Circles </web-resource-name> <url-pattern> /jsp/myapp/ServletName?page=Circle* </url-pattern> <http-method>GET</http-method> ... </web-resource-collection> <auth-constraint> <description>Description</description> <role-name>CircleRole</role-name> </auth-constraint> </security-constraint> <security-constraint> <display-name>SquareAuth</display-name> <web-resource-collection> <web-resource-name> Squares </web-resource-name> <!-- note that the following servlet is the same servlet as above, just with a different request parameter --!> <url-pattern> /jsp/myapp/ServletName?page=Square* </url-pattern> <http-method>GET</http-method> ... </web-resource-collection> <auth-constraint> <description>Description</description> <!-- note that this is a different role than above --!> <role-name>SquareRole</role-name> </auth-constraint> </security-constraint>

I would have to double check but, to the best of my knowledge, the servlet spec does not consider the query string part of the url-pattern for the purpose of mapping.

If you plan on doing this test it, not only in the container that you're using but any that you plan to support (as well as versions of those containers) and, unless you find something in the spec that specifically states that query strings are considered, plan on re-testing for every future version of each container you plan to support.

Thanks for your reply, Ben! That helps a lot.

I would also like to find some formal documentation on this subject (how the URL is parsed), if possible. Do you have any pointers on where I might look?

There is a link to the servlet spec in my signature.