The rule means that requests to /test/status/ will be redirected to /rewrite-status the url will be rewritten. /test/status/ %{context-path}/rewrite-status ^/StartAuthentication$ /dispatcher?mod=id_saml1&action=GetArtifact ^/StartAuthentication\?(.*)$ /dispatcher?mod=id_saml1&action=GetArtifact&$1 ^/auth/([a-zA-Z0-9]+)/([a-zA-Z0-9]+)$ /dispatcher?mod=$1&action=$2 ^/auth/([a-zA-Z0-9]+)/([a-zA-Z0-9]+)\?(.*)$ /dispatcher?mod=$1&action=$2&$3 The outbound-rule specifies that when response.encodeURL is called (if you are using JSTL c:url) the url /rewrite-status will be rewritten to /test/status/. The above rule and this outbound-rule means that end users should never see the url /rewrite-status only /test/status/ both in thier location bar and in hyperlinks in your pages. /rewrite-status /test/status/ ^/AuthDispatcher?mod=([a-zA-Z0-9]+)&action=([a-zA-Z0-9]+)$ /auth/$1/$2 ^/AuthDispatcher?mod=([a-zA-Z0-9]+)&action=([a-zA-Z0-9]+)&(.*)$ /auth/$1/$2&$3