@Override public Set<String> setServletSecurity(final ServletSecurityElement constraint) { if (constraint == null) { throw UndertowMessages.MESSAGES.argumentCannotBeNull("constraint"); } DeploymentInfo deploymentInfo = deployment.getDeploymentInfo(); //this is not super efficient, but it does not really matter final Set<String> urlPatterns = new HashSet<>(); for (SecurityConstraint sc : deploymentInfo.getSecurityConstraints()) { for (WebResourceCollection webResources : sc.getWebResourceCollections()) { urlPatterns.addAll(webResources.getUrlPatterns()); } } final Set<String> ret = new HashSet<>(); for (String url : servletInfo.getMappings()) { if (urlPatterns.contains(url)) { ret.add(url); } } ServletSecurityInfo info = new ServletSecurityInfo(); servletInfo.setServletSecurityInfo(info); info.setTransportGuaranteeType(constraint.getTransportGuarantee() == CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE) .setEmptyRoleSemantic(emptyRoleSemantic(constraint.getEmptyRoleSemantic())) .addRolesAllowed(constraint.getRolesAllowed()); for (final HttpMethodConstraintElement methodConstraint : constraint.getHttpMethodConstraints()) { info.addHttpMethodSecurityInfo(new HttpMethodSecurityInfo() .setTransportGuaranteeType(methodConstraint.getTransportGuarantee() == CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE) .setMethod(methodConstraint.getMethodName()) .setEmptyRoleSemantic(emptyRoleSemantic(methodConstraint.getEmptyRoleSemantic())) .addRolesAllowed(methodConstraint.getRolesAllowed())); } return ret; }