How to exclude one url from authorization
Omit the <auth-constraint>
element in <security-constraint>
for resources for which you don't need authentication like:
<security-constraint> <web-resource-collection> <web-resource-name>app</web-resource-name> <url-pattern>/info</url-pattern> </web-resource-collection> <!-- OMIT auth-constraint --></security-constraint><security-constraint> <web-resource-collection> <web-resource-name>app</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Role</role-name> </auth-constraint></security-constraint>
If you are looking for keycloak with Spring boot solution, then try likes this in your application properties file:
keycloak.security-constraints[0].authRoles[0]=userskeycloak.security-constraints[0].security-collections[0].patterns[0]=/*keycloak.security-constraints[1].security-collections[0].patterns[0]=/info
This will apply security on all URLs except /info
I don't know whether I get you right ! With my limited knowledge I think in-order to implement security the content to be secured is declared using one or more web-resource-collection elements. Each web-resource-collection element contains an optional series of url-pattern elements followed by an optional series of http-method elements. The url-pattern element value specifies a URL pattern against which a request URL must match for the request to correspond to an attempt to access secured content. The http-method element value specifies a type of HTTP request to allow.
<security-constraint> <web-resource-collection> <web-resource-name>Secure Content</web-resource-name> <url-pattern>/restricted/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>AuthorizedUser</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint></security-constraint><!-- ... --><login-config> <auth-method>BASIC</auth-method> <realm-name>The Restricted Zone</realm-name></login-config><!-- ... --><security-role> <description>The role required to access restricted content </description> <role-name>AuthorizedUser</role-name></security-role>
URL lying under the web application's /restricted path requires an AuthorizedUser role.