So, I have a web-application built on the j2ee framework. In my web.xml we have specified a security constraint to define all .jsp, .js, .java files as protected resources. I however, want to exclude a couple of files from this constraint so that they can be served by the server even when the session/user is not logged in.
This is how the security constraint was initially defined in the web-xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>Apollocast A Resources</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.js</url-pattern>
<url-pattern>*.html</url-pattern>
<url-pattern>*.java</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>iboxmanagersa</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
I tried adding another constraint on a specific file, but it did not work.
<security-constraint>
<web-resource-collection>
<web-resource-name>Apollocast A Resources</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.js</url-pattern>
<url-pattern>*.html</url-pattern>
<url-pattern>*.java</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>iboxmanagersa</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public Resources</web-resource-name>
<url-pattern>/authselect.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- No roles required, meaning unrestricted access -->
</auth-constraint>
</security-constraint>
if I access authselect.jsp directly without logging in first it is still blocked by a login page. Any solutions to this?