web.xml and mixing no-auth and auth

Question

I would like, from a single web application, to have parts of it using authentication and parts of it to be fully open (or more specifically not use container-based auth).

The parts of the application that uses container-based authentication lives at URL / while the part that is open lives at URL /openpages. (yes, I know it would probably have been easier if it was the other way around, but don't want to open up the source code of the application)

This is my attempt at an web.xml:

<web-app>
    ....
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>closedpages</web-resource-name>
            <url-pattern>/</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>
</web-app>

Since my url-pattern states / and not /* I'm thinking it should work. But it doesn't. No matter if I access http://myhost/ or http://myhost/openpages/ I get HTTP Authentication prompt. Only http://myhost/ should trigger a HTTP Authentication prompt.

The way I understand it is that everything not specifically covered by a <security-constraint> is open, right? So, /openpages/ should not use any authentication.

More to this: I don't really like the fact that <login-config> is specified at the level of the webapp rather than at the level of each security constraint. Surely that is crippling to flexibility?

Answer 1

Everything not specifically covered by a security-constraint is NOT open by default, use whitelisting for that (in short: a security-constraint without an auth-constraint is available to anyone without a login).

Also note that the url-pattern values are not entirely intuitive, see the details in this answer and an example of a multiple url-pattern matching problem in this question (where /testresource.xml matches both /* and *.xml).