I currently have a REST API that must be authenticated via BasicAuth, but later some other method.
It's setup in Tomcat 6 with realms and I have the following in my web.xml,
<security-constraint>
<web-resource-collection>
<web-resource-name>document</web-resource-name>
<url-pattern>/rest/document/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>document</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<Realm-name>Tomcat-Advance-Authentication-Realm</Realm-name>
</login-config>
This works fine for URLs like /rest/document/*.
My question is, does anyone know if it's possible or how to define other URLs dynamically without building and re-deploying?
For example another security constraint,
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/rest/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>secure</role-name>
</auth-constraint>
</security-constraint>
Thanks
Whenever you make a change to web.xml, the web application needs to be restarted to pick up those changes.
If you need dynamic security constraint consider building a custom configurable filter and a related property file in wich you can define protected resources(for example).