Search code examples
web-applicationsservletspasswordsjettycometd

Match jetty url-pattern to only root directory

I would like to only password protect the root directory on my context path for a Jetty WebApp. My context path is /MyApp, so I would like to require a password for accessing:

http://localhost:8080/MyApp

But NOT for:

http://localhost:8080/MyApp/cometd

My current set up is below (pay attention to the url-pattern):

<security-constraint>   
    <web-resource-collection>
        <web-resource-name>Private Page</web-resource-name>
            <url-pattern>/</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>moderator</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Test Realm</realm-name>
</login-config>

I would expect this to work just by nature of how / and /* work in general. I've also seen this resource which I believe is suggesting that this should pretty much work: http://www.coderanch.com/t/364782/Servlets/java/there-key-difference-between-url

However, for my case, the url patterns:

<url-pattern>/</url-pattern>

and 

<url-pattern>/*</url-pattern>

seem to be acting the exact same: both 

http://localhost:8080/MyApp

and

http://localhost:8080/MyApp/cometd

are BOTH password protected.

Of course, if I change to /nothingishere, just as a sanity test, nothing is password protected, except for /MyApp/nothingishere

Does anyone know how to only protect the root directory for web servlets?

Solution

  • Here is the answer for you:

    <?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
        version="3.0">
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <security-constraint>   
        <web-resource-collection>
            <web-resource-name>Private Page</web-resource-name>
            <url-pattern>/</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>moderator</role-name>
        </auth-constraint>
    </security-constraint>
    <security-constraint>   
        <web-resource-collection>
            <web-resource-name>Public page</web-resource-name>
            <url-pattern>/test/*</url-pattern>
        </web-resource-collection>        
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Test Realm</realm-name>
    </login-config>
</web-app>

    In this configuration, the root directory is password protected and the /test/... directory is not. I think this is what you are asking for.

    This configuration is tested on Tomcat 7+ and a new project created from the beginning in NetBeans (I can email you the whole source if you need it).

    This is the output: output