3-28 Developing Security Providers for Oracle WebLogic Server WebLogic resources are arranged in a hierarchical structure ranging from most specific to least specific. You can use the getParentResource method for each of the WebLogic resource types if you like, but it is not required. The WebLogic security providers use the single-parent resource hierarchy as follows: If a WebLogic security provider attempts to access a specific WebLogic resource and that resource cannot be located, the WebLogic security provider will call the getParentResource method of that resource. The parent of the current WebLogic resource is returned, and allows the WebLogic security provider to move up the resource hierarchy to protect the next less-specific resource. For example, if a caller attempts to access the following URL resource: type=url, application=myApp, contextPath=mywebapp, uri=foobarmy.jsp and that exact URL resource cannot be located, the WebLogic security provider will progressively attempt to locate and protect the following resources in order: type=url, application=myApp, contextPath=mywebapp, uri=foobar type=url, application=myApp, contextPath=mywebapp, uri=foo type=url, application=myApp, contextPath=mywebapp, uri=.jsp type=url, application=myApp, contextPath=mywebapp, uri= type=url, application=myApp, contextPath=mywebapp type=url, application=myApp type=app, application=myApp type=url

3.6.8.1 Pattern Matching for URL Resources

Sections SRV.11.1 and SRV.11.2 of the Java Servlet 2.3 Specification http:jcp.orgaboutJavacommunityprocessfirstjsr053index.ht ml describe the servlet containers pattern matching rules. These rules are used for URL resources as well. The following examples illustrate some important concepts with regard to URL resource pattern matching.

3.6.8.1.1 Example 1 For the URL resource type=url, application=myApp,

contextPath=mywebapp, uri=foomy.jsp, httpMethod=GET, the resource hierarchy used is as follows. Note lines 3 and 4, which contain URL patterns that may be different from what is expected.

1. type=url, application=myApp, contextPath=mywebapp, uri=foomy.jsp,

httpMethod=GET

2. type=url, application=myApp, contextPath=mywebapp, uri=foomy.jsp

3. type=url, application=myApp, contextPath=mywebapp, uri=foomy.jsp,

httpMethod=GET

4. type=url, application=myApp, contextPath=mywebapp, uri=foomy.jsp

5. type=url, application=myApp, contextPath=mywebapp, uri=foo,

httpMethod=GET

6. type=url, application=myApp, contextPath=mywebapp, uri=foo

7. type=url, application=myApp, contextPath=mywebapp, uri=.jsp, httpMethod=GET

8. type=url, application=myApp, contextPath=mywebapp, uri=.jsp

Note: For more information about the getParentResource method, see the WebLogic Server API Reference Javadoc for any of the predefined WebLogic resource types or the Resource interface. Design Considerations 3-29

9. type=url, application=myApp, contextPath=mywebapp, uri=, httpMethod=GET

10. type=url, application=myApp, contextPath=mywebapp, uri=

11. type=url, application=myApp, contextPath=mywebapptype=url,