I'm using OpenLiberty 22 and my Java 17 EE application is secured with mpJwt-1.2 feature. My mpJwt configuration in server.xml looks like following:
<mpJwt audiences="ALL_AUDIENCES"
authFilterRef="api-key-filter"
groupNameAttribute="groupIds"
id="myJwt"
issuer="***"
jwksUri="***"
userNameAttribute="sub" >
</mpJwt>
<authFilter id="api-key-filter">
<requestHeader matchType="notContain" name="X-API-Key"/>
</authFilter>
With the authFilter I tell the server to not validate incoming requests where header 'X-API-Key' Authentication header is set. All other calls should be validated with mpJwt as usual. Now I would like to check whether value of X-API-Key is valid or not and in case of invalid, return 401. My problem is, that with my web.xml config entries all calls with api key header are rejected with 401 directly due to this security constraint.
<security-constraint>
<web-resource-collection>
<web-resource-name>Web Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>AllAuthenticated</role-name>
</auth-constraint>
</security-constraint>
This security constraint is needed to enable mpJwt validation in OpenLiberty.
My Question
Is it possible to write a custom OpenLiberty Feature to check HttpRequestHeader in combination with an authFilter as it is in mpJwt (authFilterRef)? Or is it possible to configure server to get this behaviour?
The only way I found is to unsecure these routes explicitly in server.xml but this is very unflexible, because I always have to added this routes explicitly and mpJwt validation is disabled for each call to this routes.
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<url-pattern>/customApiKeyRoute1/*</url-pattern>
<url-pattern>/customApiKeyRoute2/*</url-pattern>
</web-resource-collection>
</security-constraint>
