I have a web.xml in my web application that contains a security constraint similar to the following.
<security-constraint>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description>Any logged in user can access this application.</description>
<role-name>*</role-name>
</security-role>
This will allow any logged in user to access the application. Is there a way to allow any user to access the application except if they have a certain role?
Something like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<exclude-role>
<role-name>exclude</role-name>
</exclude-role>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description>Any logged in user can access this application.</description>
<role-name>*</role-name>
</security-role>
<security-role>
<description>Except for users with this role.</description>
<role-name>exclude</role-name>
</security-role>
I could list out each role that should have access, but there are a good number of roles, plus we are constantly adding new roles that should also have access to this application, so I need a way to exclude just a single role.
You can make use of Filters:
Explained well in the below link
visit http://www.avajava.com/tutorials/lessons/what-is-a-filter-and-how-do-i-use-it.html