Looking for Flag to disable Auth in JSF web.xml

StackOverflow https://stackoverflow.com/questions/23495719

Question

I'm searching a simple true/false flag in the web.xml for enabling or disabling the authentication in JSF.

The situation:

I have a web.xml with the following code for authentication:

<login-config>
    <auth-method>${test.auth}</auth-method>
    <realm-name>file</realm-name>
</login-config>
<security-role>
    <description>Tester</description>
    <role-name>Tester</role-name>
</security-role>
<security-constraint>
    <display-name>Test-Server-Access</display-name>
    <web-resource-collection>
      <web-resource-name>Test-Server-Access</web-resource-name>
      <description/>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <description>Tester Access</description>
      <role-name>Tester</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>HTTPS Login</description>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

everything is working as expected and pretty good for my purpose. But theres one thing left. As you can see I want to fill in a param (<auth-method>${test.auth}</auth-method>) and this is working pretty well too. But now I need something like a flag for disabling the whole auth mechanism with such a param. I already tried it with <auth-method>NONE</auth-method> but I think the system is still expecting a user in the role Tester.

So how to disable the whole auth mechanism without commenting it out?

Context:

I have different environments for my application:

  • Development on the local machine

  • Test-Server

  • Production-Server

Now I want that authentication only happens on the Test-Server. For that I use maven-profiles for

  • Development -> no profile

  • Test-Server -> test profile

  • Production-Server -> production profile

To achieve that different behavior I filter the web.xml through maven and insert values at build-time e.g. <auth-method>${test.auth}</auth-method>.

Thanks for the help.

Was it helpful?

Solution

I "solved" the problem by setting the url-pattern to a never used site. Thats not nice but it works for now :/.

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>file</realm-name>
</login-config>
<security-role>
    <description>Tester</description>
    <role-name>Tester</role-name>
</security-role>
<security-constraint>
    <display-name>Test-Server-Access</display-name>
    <web-resource-collection>
      <web-resource-name>Test-Server-Access</web-resource-name>
      <description/>
      <url-pattern>${test.url}</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <description>Tester Access</description>
      <role-name>Tester</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>HTTPS Login</description>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

I would appreciate a cleaner solution if theres any.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top