2

Similar to Define a <security-constraint> outside of web.xml (e.g. server-wide), I am trying to define a security-constraint outside of my application's WEB-INF/web.xml. However, unlike that question, I don't want to define it server-wide. I have tried to put the security-constraints in both META-INF/context.xml and ${catalina.home}/conf/Catalina/localhost/<myapp>.xml. Adding the security-constraints to ${catalina.home}/conf/web.xml works fine, but this does it for everything on the server, and I am trying to avoid this if possible.

I can't find any documentation that says definitively security-constraints must be defined in a web.xml, but this seems to be the case. Is this true?

kenorb
  • 155,785
  • 88
  • 678
  • 743
Wisco crew
  • 1,337
  • 1
  • 17
  • 25
  • 1
    Tomcat, among other containers, implements the requirements of the servlet spec. That spec says that security-constraints go in web.xml. There's really no reason for a servlet container to implement any other strategy than that. Why do you want to configure security *outside* of the application? – Christopher Schultz Mar 11 '14 at 20:22
  • Well, I'm really looking for an analog to jetty's `override-web.xml`. I want the web app to have no security-constraints by default, but have the ability to enable them by copying in a file or something similar. Trying to avoid having to edit an in-place web.xml. – Wisco crew Mar 11 '14 at 20:30
  • 1
    Tomcat does not have anything like that. There is a conceptual problem with layering-on security constraints after the fact: an application needs to know which pages are protected in order to make sane decisions about the state of a request, etc. By separating the security constraints from the application, you are creating the opportunity for failure. What advantage do you get from an external configuration? What disadvantage is there to modifying `web.xml` directly? – Christopher Schultz Mar 11 '14 at 20:35
  • I figured as much. I'm trying to avoid it because it's difficult to do programmatically (e.g. from a batch script). – Wisco crew Mar 11 '14 at 20:36
  • Try using something more appropriate like Apache Ant. It has tools available that are much more powerful than batch-scripting. For example, you can execute an XSL transform to modify XML files. If you want to script modifications, how would you do it with an *external* file? – Christopher Schultz Mar 11 '14 at 20:39
  • Thanks for the help. I was hoping I could copy in something like override-web.xml and have that be appended to the existing web.xml. I'll check out ant, thanks. – Wisco crew Mar 11 '14 at 20:48
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/49507/discussion-between-wisco-crew-and-christopher-schultz) – Wisco crew Mar 11 '14 at 21:10

0 Answers0