I have configured ADFS SAML on weblogic server and have added corresponding entry in web.xml. I want to exclude one url from authourization through ADFS SAML so i have added security constraint without auth-constraint in web.xml.So Now I am expecting the url with /Sample/ should get excluded but still it is authourizing /Sample/ request Please find below web.xml Restricted /Sample/*
<security-constraint>
<display-name>excluded</display-name>
<web-resource-collection>
<web-resource-name>No Access</web-resource-name>
<url-pattern>*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
<url-pattern>/Sample</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>SAML</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>everyone</role-name>
</auth-constraint>
</security-constraint>
You have multiple problems currently... The first thing you should do is break it up into multiple security-constraint. You can have more than one, so define a separate one for your SAML and No Access. Your URL pattern is the same for SAML and No Access, which one is it?:
<url-pattern>*</url-pattern>
Your auth-constraint seems bad too... allow access to everyone? If you're simply looking to restrict parts, of an app, specify no auth contraint like:
<auth-constraint />
Follow a through example on SO like: How to exclude one url from authorization
or
Follow a tutorial like http://java.dzone.com/articles/understanding-web-security