Hi Matthew, tomcat does that because the spec does (even if several people ask to break that limitation it is not yet done at servlet spec level) that said to secure a rest endpoint you just need a filter in your app and implement the security login in there. you can delegate to the container (request.login()/request.logout()) or not depending what you want to do. MP JWT Auth uses that typically: https://github.com/apache/geronimo-jwt-auth/blob/master/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java
Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance> Le mer. 22 août 2018 à 15:55, Matthew Broadhead <[email protected]> a écrit : > my webapp already has a login-config set to keycloak in web.xml so AFAIK > i cannot define any other security configs there. why doesn't tomcat > allow multiple security methods? > <login-config> > <auth-method>KEYCLOAK</auth-method> > <realm-name>secure</realm-name> > </login-config> > > is there another way to protect a jax-rs endpoint using basic auth > without having to create another webapp? i read something about valves... > >
