I have a @POST rest method and i want to make filter for it, so only the person who is logged in in the application to be able to have access to it. Here is my @POST method :

@POST
@Path("/buy")
public Response buyTicket(@QueryParam("projectionId") String projectionId, @QueryParam("place") String place){
    Projection projection = projectionDAO.findById(Long.parseLong(projectionId));
    if(projection != null){
        System.out.println(projection.getMovieTitle());
        System.out.println(place);
        projectionDAO.buyTicket(projection, userContext.getCurrentUser(), place);
    }

    return Response.noContent().build();
}

And here is the filter i write for this method :

@WebFilter("rest/projection/buy")
public class ProtectedBuyFunction implements Filter {
@Inject
UserContext userContext;

public void init(FilterConfig fConfig) throws ServletException {
}

public void doFilter(ServletRequest request, ServletResponse response,
        FilterChain chain) throws IOException, ServletException {
    if (!isHttpCall(request, response)) {
        return;
    }
    HttpServletResponse httpServletResponse = (HttpServletResponse) response;
    HttpServletRequest httpServletRequest = (HttpServletRequest) request;
    User currentUser = userContext.getCurrentUser();
    if (currentUser == null) {
        String loginUrl = httpServletRequest.getContextPath()
                + "/login.html";
        httpServletResponse.sendRedirect(loginUrl);
        return;
    }
    chain.doFilter(request, response);
}

private boolean isHttpCall(ServletRequest request, ServletResponse response) {
    return (request instanceof HttpServletRequest)
            && (response instanceof HttpServletResponse);
}

public void destroy() {
}}

The problem is that i always get an exception and the server refuse to start, the exception is :

Invalid <url-pattern> rest/projection/buy in filter mapping

I am using TomEE server with Jax-RS. Is there some way I can solve this problem ?