<security-constraint> <display-name>Example Security Constraint - part 1</display-name> <web-resource-collection> <web-resource-name>Protected Area - Allow methods</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/jsp/security/protected/*</url-pattern> <!-- If you list http methods, only those methods are protected so --> <!-- the constraint below ensures all other methods are denied --> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>ROLE_OPENGROK_GROUP_1</role-name> <role-name>ROLE_OPENGROK_GROUP_2</role-name> </auth-constraint> </security-constraint>