0

I currently have a REST API that must be authenticated via BasicAuth, but later some other method.

It's setup in Tomcat 6 with realms and I have the following in my web.xml,

<security-constraint>
    <web-resource-collection>
        <web-resource-name>document</web-resource-name>
        <url-pattern>/rest/document/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>document</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <Realm-name>Tomcat-Advance-Authentication-Realm</Realm-name>
</login-config>

This works fine for URLs like /rest/document/*.

My question is, does anyone know if it's possible or how to define other URLs dynamically without building and re-deploying?

For example another security constraint,

<security-constraint>
    <web-resource-collection>
        <web-resource-name>secure</web-resource-name>
        <url-pattern>/rest/secure/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>secure</role-name>
    </auth-constraint>
</security-constraint>

Thanks

kenorb
  • 155,785
  • 88
  • 678
  • 743
wsams
  • 2,499
  • 7
  • 40
  • 51

1 Answers1

2

Whenever you make a change to web.xml, the web application needs to be restarted to pick up those changes.

If you need dynamic security constraint consider building a custom configurable filter and a related property file in wich you can define protected resources(for example).

Luca
  • 4,223
  • 1
  • 21
  • 24
  • Thanks Luca, I think we'll go that route. Eventually we want to use Spring 3 Security to handle this. – wsams Apr 03 '12 at 17:11