private SecurityPathMatches buildSecurityConstraints() {
    SecurityPathMatches.Builder builder =
        SecurityPathMatches.builder(deployment.getDeploymentInfo());
    final Set<String> urlPatterns = new HashSet<String>();
    for (SecurityConstraint constraint : deployment.getDeploymentInfo().getSecurityConstraints()) {
      builder.addSecurityConstraint(constraint);
      for (WebResourceCollection webResources : constraint.getWebResourceCollections()) {
        urlPatterns.addAll(webResources.getUrlPatterns());
      }
    }

    for (final ServletInfo servlet : deployment.getDeploymentInfo().getServlets().values()) {
      final ServletSecurityInfo securityInfo = servlet.getServletSecurityInfo();
      if (securityInfo != null) {
        final Set<String> mappings = new HashSet<String>(servlet.getMappings());
        mappings.removeAll(urlPatterns);
        if (!mappings.isEmpty()) {
          final Set<String> methods = new HashSet<String>();

          for (HttpMethodSecurityInfo method : securityInfo.getHttpMethodSecurityInfo()) {
            methods.add(method.getMethod());
            if (method.getRolesAllowed().isEmpty()
                && method.getEmptyRoleSemantic() == ServletSecurity.EmptyRoleSemantic.PERMIT) {
              // this is an implict allow
              continue;
            }
            SecurityConstraint newConstraint =
                new SecurityConstraint()
                    .addRolesAllowed(method.getRolesAllowed())
                    .setTransportGuaranteeType(method.getTransportGuaranteeType())
                    .addWebResourceCollection(
                        new WebResourceCollection()
                            .addUrlPatterns(mappings)
                            .addHttpMethod(method.getMethod()));
            builder.addSecurityConstraint(newConstraint);
          }

          SecurityConstraint newConstraint =
              new SecurityConstraint()
                  .addRolesAllowed(securityInfo.getRolesAllowed())
                  .setTransportGuaranteeType(securityInfo.getTransportGuaranteeType())
                  .addWebResourceCollection(
                      new WebResourceCollection()
                          .addUrlPatterns(mappings)
                          .addHttpMethodOmissions(methods));
          builder.addSecurityConstraint(newConstraint);
        }
      }
    }

    return builder.build();
  }
  private DeploymentInfo createServletConfig(
      final JBossWebMetaData mergedMetaData,
      final DeploymentUnit deploymentUnit,
      final Module module,
      final DeploymentClassIndex classReflectionIndex,
      final WebInjectionContainer injectionContainer,
      final ComponentRegistry componentRegistry,
      final ScisMetaData scisMetaData,
      final VirtualFile deploymentRoot)
      throws DeploymentUnitProcessingException {
    try {
      mergedMetaData.resolveAnnotations();
      final DeploymentInfo d = new DeploymentInfo();
      d.setContextPath(mergedMetaData.getContextRoot());
      if (mergedMetaData.getDescriptionGroup() != null) {
        d.setDisplayName(mergedMetaData.getDescriptionGroup().getDisplayName());
      }
      d.setDeploymentName(deploymentUnit.getName());
      d.setResourceLoader(new DeploymentResourceLoader(deploymentRoot));
      d.setClassLoader(module.getClassLoader());
      final String servletVersion = mergedMetaData.getServletVersion();
      if (servletVersion != null) {
        d.setMajorVersion(Integer.parseInt(servletVersion.charAt(0) + ""));
        d.setMinorVersion(Integer.parseInt(servletVersion.charAt(2) + ""));
      } else {
        d.setMajorVersion(3);
        d.setMinorVersion(1);
      }

      // for 2.2 apps we do not require a leading / in path mappings
      boolean is22OrOlder;
      if (d.getMajorVersion() == 1) {
        is22OrOlder = true;
      } else if (d.getMajorVersion() == 2) {
        is22OrOlder = d.getMinorVersion() < 3;
      } else {
        is22OrOlder = false;
      }

      HashMap<String, TagLibraryInfo> tldInfo =
          createTldsInfo(deploymentUnit, classReflectionIndex, componentRegistry, d);
      HashMap<String, JspPropertyGroup> propertyGroups = createJspConfig(mergedMetaData);

      JspServletBuilder.setupDeployment(
          d, propertyGroups, tldInfo, new UndertowJSPInstanceManager(injectionContainer));
      d.setJspConfigDescriptor(
          new JspConfigDescriptorImpl(tldInfo.values(), propertyGroups.values()));
      d.setDefaultServletConfig(new DefaultServletConfig(true, Collections.<String>emptySet()));

      // default JSP servlet
      final ServletInfo jspServlet =
          new ServletInfo("Default JSP Servlet", JspServlet.class)
              .addMapping("*.jsp")
              .addMapping("*.jspx")
              .addInitParam("development", "false"); // todo: make configurable
      d.addServlet(jspServlet);

      final Set<String> jspPropertyGroupMappings = propertyGroups.keySet();
      for (final String mapping : jspPropertyGroupMappings) {
        jspServlet.addMapping(mapping);
      }

      d.setClassIntrospecter(new ComponentClassIntrospector(componentRegistry));

      final Map<String, List<ServletMappingMetaData>> servletMappings = new HashMap<>();

      if (mergedMetaData.getServletMappings() != null) {
        for (final ServletMappingMetaData mapping : mergedMetaData.getServletMappings()) {
          List<ServletMappingMetaData> list = servletMappings.get(mapping.getServletName());
          if (list == null) {
            servletMappings.put(mapping.getServletName(), list = new ArrayList<>());
          }
          list.add(mapping);
        }
      }
      final Set<String> seenMappings = new HashSet<>(jspPropertyGroupMappings);
      if (mergedMetaData.getServlets() != null) {
        for (final JBossServletMetaData servlet : mergedMetaData.getServlets()) {
          final ServletInfo s;

          if (servlet.getJspFile() != null) {
            // TODO: real JSP support
            s = new ServletInfo(servlet.getName(), JspServlet.class);
            s.addHandlerChainWrapper(new JspFileWrapper(servlet.getJspFile()));
          } else {
            Class<? extends Servlet> servletClass =
                (Class<? extends Servlet>)
                    classReflectionIndex.classIndex(servlet.getServletClass()).getModuleClass();
            ComponentRegistry.ComponentManagedReferenceFactory creator =
                componentRegistry.getComponentsByClass().get(servletClass);
            if (creator != null) {
              InstanceFactory<Servlet> factory = createInstanceFactory(creator);
              s = new ServletInfo(servlet.getName(), servletClass, factory);
            } else {
              s = new ServletInfo(servlet.getName(), servletClass);
            }
          }
          s.setAsyncSupported(servlet.isAsyncSupported())
              .setJspFile(servlet.getJspFile())
              .setEnabled(servlet.isEnabled());
          if (servlet.getRunAs() != null) {
            s.setRunAs(servlet.getRunAs().getRoleName());
          }
          if (servlet
              .getLoadOnStartupSet()) { // todo why not cleanup api and just use int everywhere
            s.setLoadOnStartup(servlet.getLoadOnStartupInt());
          }

          List<ServletMappingMetaData> mappings = servletMappings.get(servlet.getName());
          if (mappings != null) {
            for (ServletMappingMetaData mapping : mappings) {
              for (String pattern : mapping.getUrlPatterns()) {
                if (is22OrOlder && !pattern.startsWith("*") && !pattern.startsWith("/")) {
                  pattern = "/" + pattern;
                }
                if (!seenMappings.contains(pattern)) {
                  s.addMapping(pattern);
                  seenMappings.add(pattern);
                }
              }
            }
          }
          if (servlet.getInitParam() != null) {
            for (ParamValueMetaData initParam : servlet.getInitParam()) {
              if (!s.getInitParams().containsKey(initParam.getParamName())) {
                s.addInitParam(initParam.getParamName(), initParam.getParamValue());
              }
            }
          }
          if (servlet.getServletSecurity() != null) {
            ServletSecurityInfo securityInfo = new ServletSecurityInfo();
            s.setServletSecurityInfo(securityInfo);
            securityInfo
                .setEmptyRoleSemantic(
                    servlet.getServletSecurity().getEmptyRoleSemantic()
                            == EmptyRoleSemanticType.PERMIT
                        ? PERMIT
                        : DENY)
                .setTransportGuaranteeType(
                    transportGuaranteeType(servlet.getServletSecurity().getTransportGuarantee()))
                .addRolesAllowed(servlet.getServletSecurity().getRolesAllowed());
            if (servlet.getServletSecurity().getHttpMethodConstraints() != null) {
              for (HttpMethodConstraintMetaData method :
                  servlet.getServletSecurity().getHttpMethodConstraints()) {
                securityInfo.addHttpMethodSecurityInfo(
                    new HttpMethodSecurityInfo()
                        .setEmptyRoleSemantic(
                            method.getEmptyRoleSemantic() == EmptyRoleSemanticType.PERMIT
                                ? PERMIT
                                : DENY)
                        .setTransportGuaranteeType(
                            transportGuaranteeType(method.getTransportGuarantee()))
                        .addRolesAllowed(method.getRolesAllowed())
                        .setMethod(method.getMethod()));
              }
            }
          }
          if (servlet.getSecurityRoleRefs() != null) {
            for (final SecurityRoleRefMetaData ref : servlet.getSecurityRoleRefs()) {
              s.addSecurityRoleRef(ref.getRoleName(), ref.getRoleLink());
            }
          }

          d.addServlet(s);
        }
      }

      if (mergedMetaData.getFilters() != null) {
        for (final FilterMetaData filter : mergedMetaData.getFilters()) {
          Class<? extends Filter> filterClass =
              (Class<? extends Filter>)
                  classReflectionIndex.classIndex(filter.getFilterClass()).getModuleClass();
          ComponentRegistry.ComponentManagedReferenceFactory creator =
              componentRegistry.getComponentsByClass().get(filterClass);
          FilterInfo f;
          if (creator != null) {
            InstanceFactory<Filter> instanceFactory = createInstanceFactory(creator);
            f = new FilterInfo(filter.getName(), filterClass, instanceFactory);
          } else {
            f = new FilterInfo(filter.getName(), filterClass);
          }
          f.setAsyncSupported(filter.isAsyncSupported());
          d.addFilter(f);

          if (filter.getInitParam() != null) {
            for (ParamValueMetaData initParam : filter.getInitParam()) {
              f.addInitParam(initParam.getParamName(), initParam.getParamValue());
            }
          }
        }
      }
      if (mergedMetaData.getFilterMappings() != null) {
        for (final FilterMappingMetaData mapping : mergedMetaData.getFilterMappings()) {
          if (mapping.getUrlPatterns() != null) {
            for (String url : mapping.getUrlPatterns()) {
              if (is22OrOlder && !url.startsWith("*") && !url.startsWith("/")) {
                url = "/" + url;
              }
              if (mapping.getDispatchers() != null && !mapping.getDispatchers().isEmpty()) {
                for (DispatcherType dispatcher : mapping.getDispatchers()) {

                  d.addFilterUrlMapping(
                      mapping.getFilterName(),
                      url,
                      javax.servlet.DispatcherType.valueOf(dispatcher.name()));
                }
              } else {
                d.addFilterUrlMapping(
                    mapping.getFilterName(), url, javax.servlet.DispatcherType.REQUEST);
              }
            }
          }
          if (mapping.getServletNames() != null) {
            for (String servletName : mapping.getServletNames()) {
              if (mapping.getDispatchers() != null && !mapping.getDispatchers().isEmpty()) {
                for (DispatcherType dispatcher : mapping.getDispatchers()) {
                  d.addFilterServletNameMapping(
                      mapping.getFilterName(),
                      servletName,
                      javax.servlet.DispatcherType.valueOf(dispatcher.name()));
                }
              } else {
                d.addFilterServletNameMapping(
                    mapping.getFilterName(), servletName, javax.servlet.DispatcherType.REQUEST);
              }
            }
          }
        }
      }

      if (scisMetaData != null && scisMetaData.getHandlesTypes() != null) {
        for (final Map.Entry<ServletContainerInitializer, Set<Class<?>>> sci :
            scisMetaData.getHandlesTypes().entrySet()) {
          final ImmediateInstanceFactory<ServletContainerInitializer> instanceFactory =
              new ImmediateInstanceFactory<>(sci.getKey());
          d.addServletContainerInitalizer(
              new ServletContainerInitializerInfo(
                  sci.getKey().getClass(), instanceFactory, sci.getValue()));
        }
      }

      if (mergedMetaData.getListeners() != null) {
        for (ListenerMetaData listener : mergedMetaData.getListeners()) {
          addListener(classReflectionIndex, componentRegistry, d, listener);
        }
      }
      if (mergedMetaData.getContextParams() != null) {
        for (ParamValueMetaData param : mergedMetaData.getContextParams()) {
          d.addInitParameter(param.getParamName(), param.getParamValue());
        }
      }

      if (mergedMetaData.getWelcomeFileList() != null
          && mergedMetaData.getWelcomeFileList().getWelcomeFiles() != null) {
        d.addWelcomePages(mergedMetaData.getWelcomeFileList().getWelcomeFiles());
      } else {
        d.addWelcomePages("index.html", "index.htm", "index.jsp");
      }

      if (mergedMetaData.getErrorPages() != null) {
        for (final ErrorPageMetaData page : mergedMetaData.getErrorPages()) {
          final ErrorPage errorPage;
          if (page.getExceptionType() == null || page.getExceptionType().isEmpty()) {
            errorPage = new ErrorPage(page.getLocation(), Integer.parseInt(page.getErrorCode()));
          } else {
            errorPage =
                new ErrorPage(
                    page.getLocation(),
                    (Class<? extends Throwable>)
                        classReflectionIndex.classIndex(page.getExceptionType()).getModuleClass());
          }
          d.addErrorPages(errorPage);
        }
      }

      if (mergedMetaData.getMimeMappings() != null) {
        for (final MimeMappingMetaData mapping : mergedMetaData.getMimeMappings()) {
          d.addMimeMapping(new MimeMapping(mapping.getExtension(), mapping.getMimeType()));
        }
      }

      if (mergedMetaData.getSecurityConstraints() != null) {
        for (SecurityConstraintMetaData constraint : mergedMetaData.getSecurityConstraints()) {
          SecurityConstraint securityConstraint =
              new SecurityConstraint()
                  .setTransportGuaranteeType(
                      transportGuaranteeType(constraint.getTransportGuarantee()))
                  .addRolesAllowed(constraint.getRoleNames());

          if (constraint.getAuthConstraint() == null) {
            // no auth constraint means we permit the empty roles
            securityConstraint.setEmptyRoleSemantic(PERMIT);
          }

          if (constraint.getResourceCollections() != null) {
            for (final WebResourceCollectionMetaData resourceCollection :
                constraint.getResourceCollections()) {
              securityConstraint.addWebResourceCollection(
                  new WebResourceCollection()
                      .addHttpMethods(resourceCollection.getHttpMethods())
                      .addHttpMethodOmissions(resourceCollection.getHttpMethodOmissions())
                      .addUrlPatterns(resourceCollection.getUrlPatterns()));
            }
          }
          d.addSecurityConstraint(securityConstraint);
        }
      }
      final LoginConfigMetaData loginConfig = mergedMetaData.getLoginConfig();
      if (loginConfig != null) {
        String authMethod = authMethod(loginConfig.getAuthMethod());
        if (loginConfig.getFormLoginConfig() != null) {
          d.setLoginConfig(
              new LoginConfig(
                  authMethod,
                  loginConfig.getRealmName(),
                  loginConfig.getFormLoginConfig().getLoginPage(),
                  loginConfig.getFormLoginConfig().getErrorPage()));
        } else {
          d.setLoginConfig(new LoginConfig(authMethod, loginConfig.getRealmName()));
        }
      }

      d.addSecurityRoles(mergedMetaData.getSecurityRoleNames());

      if (mergedMetaData.getSecurityDomain() != null) {

        String contextId = deploymentUnit.getName();
        if (deploymentUnit.getParent() != null) {
          contextId = deploymentUnit.getParent().getName() + "!" + contextId;
        }
        d.addOuterHandlerChainWrapper(
            SecurityContextCreationHandler.wrapper(mergedMetaData.getSecurityDomain()));
        d.addDispatchedHandlerChainWrapper(
            SecurityContextAssociationHandler.wrapper(
                mergedMetaData.getPrincipalVersusRolesMap(), contextId));
      }

      // Setup an deployer configured ServletContext attributes
      final List<ServletContextAttribute> attributes =
          deploymentUnit.getAttachmentList(ServletContextAttribute.ATTACHMENT_KEY);
      for (ServletContextAttribute attribute : attributes) {
        d.addServletContextAttribute(attribute.getName(), attribute.getValue());
      }

      if (mergedMetaData.getLocalEncodings() != null
          && mergedMetaData.getLocalEncodings().getMappings() != null) {
        for (LocaleEncodingMetaData locale : mergedMetaData.getLocalEncodings().getMappings()) {
          d.addLocaleCharsetMapping(locale.getLocale(), locale.getEncoding());
        }
      }

      return d;
    } catch (ClassNotFoundException e) {
      throw new DeploymentUnitProcessingException(e);
    }
  }