HowTo: Tomcat exclude URL pattern form the Basic auth

Posted on

Once you setup the basic authentication in some of the case for Image directories or some other public directories  need not to be comes under the authentication.

By adding few security constrain tags to the existing authentication parameters we can exclude any URL pattern from the security

Here is my web.xml looks like

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Private</web-resource-name>
    <description>Matches all pages.</description>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
     <role-name>authenticated-users</role-name>
  </auth-constraint>
</security-constraint>
<security-constraint>
  <web-resource-collection>
    <web-resource-name>Public</web-resource-name>
    <description>Matches a few special pages.</description>
    <url-pattern>/index.jsp</url-pattern>
    <url-pattern>/public/*</url-pattern>
  </web-resource-collection>
  <!-- No auth-constraint has everybody to access! -->
</security-constraint>
<security-role>
  <description> logged in users </description>
  <role-name>authenticated-user</role-name>
</security-role>
<login-config>
  <auth-method>DIGEST</auth-method>
  <realm-name> watcher </realm-name>
</login-config>

The  two security constraints. The first one “Private”  matches all web resources while the second one “Public” only matches the index page and everything below “/public/”.  No order has to be follow for the security-constraint. 

The auth-constraint specifies which users need to allowed access to the matched pttern. The role-name given  that there must to refer a security-role declaration in web.xml and it must also be present in the servlet container’s user database, we also need a login-config definition for authentication method to use

The “Public” security-constraint need not to specify an auth-constraint element, which means everybody has access to the pattern matched, which is exactly we needed.

tomcat-users.xml:

 
<tomcat-users>
  <role rolename="authenticated-user" />
  <user username="myusername" password="mypass" roles="authenticated-user" />
</tomcat-users>

Now re-deploy the container.

Advertisements

One thought on “HowTo: Tomcat exclude URL pattern form the Basic auth

    dineshramitc said:
    February 17, 2015 at 4:11 pm

    Reblogged this on Dinesh Ram Kali..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s