Dynamic security constraint configuration in Java web.xml

Question

I currently have a REST API that must be authenticated via BasicAuth, but later some other method.

It's setup in Tomcat 6 with realms and I have the following in my web.xml,

<security-constraint>
    <web-resource-collection>
        <web-resource-name>document</web-resource-name>
        <url-pattern>/rest/document/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>document</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <Realm-name>Tomcat-Advance-Authentication-Realm</Realm-name>
</login-config>

This works fine for URLs like /rest/document/*.

My question is, does anyone know if it's possible or how to define other URLs dynamically without building and re-deploying?

For example another security constraint,

<security-constraint>
    <web-resource-collection>
        <web-resource-name>secure</web-resource-name>
        <url-pattern>/rest/secure/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>secure</role-name>
    </auth-constraint>
</security-constraint>

Thanks

Answer 1

Whenever you make a change to web.xml, the web application needs to be restarted to pick up those changes.

If you need dynamic security constraint consider building a custom configurable filter and a related property file in wich you can define protected resources(for example).