Exclude one role in web.xml

429 views Asked by At

I have a web.xml in my web application that contains a security constraint similar to the following.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Application</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-role>
    <description>Any logged in user can access this application.</description>
    <role-name>*</role-name>
</security-role>

This will allow any logged in user to access the application. Is there a way to allow any user to access the application except if they have a certain role?

Something like this:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Application</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
    <exclude-role>
        <role-name>exclude</role-name>
    </exclude-role>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-role>
    <description>Any logged in user can access this application.</description>
    <role-name>*</role-name>
</security-role>

<security-role>
    <description>Except for users with this role.</description>
    <role-name>exclude</role-name>
</security-role>

I could list out each role that should have access, but there are a good number of roles, plus we are constantly adding new roles that should also have access to this application, so I need a way to exclude just a single role.

1

There are 1 answers

2
Kumar Abhishek On

You can make use of Filters:

Explained well in the below link

visit http://www.avajava.com/tutorials/lessons/what-is-a-filter-and-how-do-i-use-it.html