I am using the following to secure parts of my website.
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SecureUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I know I can create another security-constraint with transport-guarantee=NONE to allow certain URLs to go through without needing to be authenticated, e.g.
<security-constraint>
<web-resource-collection>
<web-resource-name>Insecure</web-resource-name>
<url-pattern>/oauth-request-consumer/*</url-pattern>
<url-pattern>/oauth-authorize-consumers/*</url-pattern>
<url-pattern>/oauth-request-token/*</url-pattern>
<url-pattern>/oauth-authorization/*</url-pattern>
<url-pattern>/oauth-access-token/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
But what if I want to allow without authentication
/a/b/*/d
but require authentication for
/a/b/*/
Aside from putting every combination of "/a/b/*/d" in the security constraint, is there a better way? These paths are dynamic and may change over time, also, which means every time it changes I have to update the web.xml file with updated security constraints.
Is there a way to delegate the url-pattern to a class? It seems that would allow me to set it once in the web.xml and then have code that decides if the URL needs authentication.
Am I going about this the wrong way? Is there a better way? I am also using WebSphere trust association interceptors for SSO.
