Once you setup the basic authentication in some of the case for Image directories or some other public directories need not to be comes under the authentication.
By adding few security constrain tags to the existing authentication parameters we can exclude any URL pattern from the security
Here is my web.xml looks like
<security-constraint> <web-resource-collection> <web-resource-name>Private</web-resource-name> <description>Matches all pages.</description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>authenticated-users</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Public</web-resource-name> <description>Matches a few special pages.</description> <url-pattern>/index.jsp</url-pattern> <url-pattern>/public/*</url-pattern> </web-resource-collection> <!-- No auth-constraint has everybody to access! --> </security-constraint> <security-role> <description> logged in users </description> <role-name>authenticated-user</role-name> </security-role> <login-config> <auth-method>DIGEST</auth-method> <realm-name> watcher </realm-name> </login-config>
The two security constraints. The first one “Private” matches all web resources while the second one “Public” only matches the index page and everything below “/public/”. No order has to be follow for the
auth-constraint specifies which users need to allowed access to the matched pttern. The
role-name given that there must to refer a
security-role declaration in
web.xml and it must also be present in the servlet container’s user database, we also need a
login-config definition for authentication method to use
security-constraint need not to specify an
auth-constraint element, which means everybody has access to the pattern matched, which is exactly we needed.
<tomcat-users> <role rolename="authenticated-user" /> <user username="myusername" password="mypass" roles="authenticated-user" /> </tomcat-users>
Now re-deploy the container.