How to exclude one url from authorization

Question

My web.xml looks like:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>app</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Role</role-name>
    </auth-constraint>
</security-constraint>

this protect every side from authorization but I want exclude /info. Is this possible ?

score 111 · Accepted Answer · edited Aug 14 '14 at 22:26

111

Omit the <auth-constraint> element in <security-constraint> for resources for which you don't need authentication like:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>app</web-resource-name>
        <url-pattern>/info</url-pattern>
    </web-resource-collection>
    <!-- OMIT auth-constraint -->
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>app</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Role</role-name>
    </auth-constraint>
</security-constraint>

edited Aug 14 '14 at 22:26

Laurent.B

213
2
14

answered Feb 25 '13 at 07:32

2

I tried this approach and didnt work. Is this valid? – cherry Feb 04 '16 at 00:17
9

/path not working for me, while /path/* works for all files placed under /path. Also, /path/myfile.xhtml works for individual file but /path/*.xhtml does not work – Jonathan L Apr 08 '16 at 23:56
I tried and worked fine, but be aware of container specific authorization: in my case wildfly secure all resources, so you have to keep in mind that too – Vokail Jul 26 '18 at 06:33

score 7 · Answer 2 · answered May 21 '19 at 13:31

If you are looking for keycloak with Spring boot solution, then try likes this in your application properties file:

keycloak.security-constraints[0].authRoles[0]=users
keycloak.security-constraints[0].security-collections[0].patterns[0]=/*
keycloak.security-constraints[1].security-collections[0].patterns[0]=/info

This will apply security on all URLs except /info

score 1 · Answer 3 · edited Aug 14 '14 at 22:30

I don't know whether I get you right ! With my limited knowledge I think in-order to implement security the content to be secured is declared using one or more web-resource-collection elements. Each web-resource-collection element contains an optional series of url-pattern elements followed by an optional series of http-method elements. The url-pattern element value specifies a URL pattern against which a request URL must match for the request to correspond to an attempt to access secured content. The http-method element value specifies a type of HTTP request to allow.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secure Content</web-resource-name>
        <url-pattern>/restricted/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>AuthorizedUser</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<!-- ... -->
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>The Restricted Zone</realm-name>
</login-config>
<!-- ... -->
<security-role>
    <description>The role required to access restricted content </description>
    <role-name>AuthorizedUser</role-name>
</security-role>

URL lying under the web application's /restricted path requires an AuthorizedUser role.

How to exclude one url from authorization

3 Answers3

Linked