You can choose to restrict defined user roles to specified URLs – the endpoints that perform specific actions. You can put a constraint on a particular URL or many URLs associated with the web application. Endpoint security is defined in <security-constraint> tags.
You can define the URLs where the constraint will apply. For the constraint to be applied to all URLs associated with your web application, set the value to /*. However, a finer level of granularity can be applied. Here are the five core URL pattern matches associated with Corticon SOAP and REST API URLs:
1. Corticon Admin SOAP Servlet:
/services/CorticonAdmin
You can perform Admin operations over SOAP such as deployment or configuration of Decision Services. See Admin SOAP example.
Similar to the Admin SOAP endpoint, this endpoint is over REST. Because REST has a distinct URL for each operation, this endpoint uses an * for URL matching of all Decision Service Admin operations. See Admin DS example.
4. Corticon Server Admin REST:
/corticon/server/*
You can perform Admin operations against the Corticon Server over REST such as getting Corticon Server metrics and properties. See Admin REST example.
When the user passes in their credentials (username/password), the authentication process verifies that the credentials match a role that has been defined on the server. This section in the web.xml lets you limit access to the URL based on particular roles. If you don’t want to limit based on particular roles, then this value should be set to *.
However, you may not want everyone to have access to the Admin URLs. In this particular case, you must add a specific <security-constraint> for the Admin URLs with an assigned <role-name> to limit which types of users can access the URLs.
Note: If you want all role names to be valid for the web application, then add * in the XML Element. Even if you have set the constraint’s role-name to *, you have to define a <security-role> role-name with *.
