Override Tomcat basic authentication

Question

I'm trying to write a Web-based Setup for my Webapplication (Mainly setting up the database). But because i am using DIGEST authentication for all Servlets i'm having a problem there. I want to be able to ask the user to enter his mysql password, but he can't because he can't login. Since the users are Saved in the Database, that doesnt exist at that point, there is no way to log in.

<security-constraint>
<web-resource-collection>
  <web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
  <url-pattern>/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
  <role-name>crm_user</role-name>
</auth-constraint>
<user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
 </security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>tomcat_realm</realm-name>
 </login-config>

Can I override the login config for a single Servlet, so the user doesn't have to enter a password?

Answer 1

Notice that you specify <url-pattern>/*</url-pattern>. You can use this pattern to apply the security constraint to only those URLs that you want to require authentication. Any URL that does not match this pattern will not have this security constraint applied.

You can also add a second security-constraint with a url-pattern that matches the URLs that you don't want secured. In this case, leave out the auth-constraint tag entirely so everyone is allowed to access those URLs. Look at this other question for an example.