How to exclude one url from authorization

Asked 22/2, 2013 at 12:27 Answered 21/5, 2019 at 13:31

Solved java jakarta-ee authentication web.xml

My web.xml looks like:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>app</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Role</role-name>
    </auth-constraint>
</security-constraint>

this protect every side from authorization but I want exclude /info. Is this possible ?

Bridie answered 22/2, 2013 at 12:27 Comment(0)

112

Omit the <auth-constraint> element in <security-constraint> for resources for which you don't need authentication like:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>app</web-resource-name>
        <url-pattern>/info</url-pattern>
    </web-resource-collection>
    <!-- OMIT auth-constraint -->
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>app</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Role</role-name>
    </auth-constraint>
</security-constraint>

Ferreira answered 25/2, 2013 at 7:32 Comment(3)

I tried this approach and didnt work. Is this valid? – Afresh 4/2, 2016 at 0:17

<url-pattern>/path</url-pattern> not working for me, while <url-pattern>/path/*</url-pattern> works for all files placed under /path. Also, <url-pattern>/path/myfile.xhtml</url-pattern> works for individual file but <url-pattern>/path/*.xhtml</url-pattern> does not work – Soloman 8/4, 2016 at 23:56

I tried and worked fine, but be aware of container specific authorization: in my case wildfly secure all resources, so you have to keep in mind that too – Pinon 26/7, 2018 at 6:33

If you are looking for keycloak with Spring boot solution, then try likes this in your application properties file:

keycloak.security-constraints[0].authRoles[0]=users
keycloak.security-constraints[0].security-collections[0].patterns[0]=/*
keycloak.security-constraints[1].security-collections[0].patterns[0]=/info

This will apply security on all URLs except /info

Warrantor answered 21/5, 2019 at 13:31 Comment(0)

I don't know whether I get you right ! With my limited knowledge I think in-order to implement security the content to be secured is declared using one or more web-resource-collection elements. Each web-resource-collection element contains an optional series of url-pattern elements followed by an optional series of http-method elements. The url-pattern element value specifies a URL pattern against which a request URL must match for the request to correspond to an attempt to access secured content. The http-method element value specifies a type of HTTP request to allow.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secure Content</web-resource-name>
        <url-pattern>/restricted/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>AuthorizedUser</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<!-- ... -->
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>The Restricted Zone</realm-name>
</login-config>
<!-- ... -->
<security-role>
    <description>The role required to access restricted content </description>
    <role-name>AuthorizedUser</role-name>
</security-role>

URL lying under the web application's /restricted path requires an AuthorizedUser role.

Ballesteros answered 27/2, 2013 at 9:34 Comment(0)

Recommended topics

Hot tags