When using our own implementation of HttpAuthenticationMechanism how does one prevent authentication checks being triggered for certain file types?
Eg. we do not want our Authentication bean to be triggered for static resource requests such as .js / .css files
Using Wildfly 26 (Java EE8)
UPDATE:
Have tried specifying static files in web.xml with no <auth-constraint> defined which is how the spec says this should be done, but I am still finding that validateRequest is firing for these files
<security-constraint>
<web-resource-collection>
<web-resource-name>Static Content</web-resource-name>
<url-pattern>/jsJawrPath/*</url-pattern>
<url-pattern>/cssJawrPath/*</url-pattern>
<url-pattern>/javax.faces.resource/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
</security-constraint>
Our authentication bean
@RequestScoped
@AutoApplySession
public class CustomAuthentication implements Serializable, HttpAuthenticationMechanism {
/**
*
*/
private static final long serialVersionUID = 1L;
@Inject private Logger log;
/**
* Note: this method is called for all requests (including public) to determine if authentication is required
*/
@Override
public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response,
HttpMessageContext httpMessageContext) throws AuthenticationException {
log.debug("Validating request {}",request.getRequestURI());
//Authentication logic...
}
}
Then in the logs...
[10:44:30.476] DEBUG (com.myapp.security.CustomAuthentication) Validating request /jsJawrPath/jawr_generator.js
FURTHER INFO:
The reason I am trying to deactivate HttpAuthenticationMechanism is I am trying to implement the Weld performance suggestions at the end of this article https://weld.cdi-spec.org/news/2016/10/25/tip3-performance/ to deactivate CDI contexts for static files, but when I add the org.jboss.weld.context.mapping param I get the Context is not active because HttpAuthenticationMechanism is trying to invoke validateRequest method.
