Hi Romain,
Thanks. that was the conclusion was coming to. I am glad it is a valid
solution. I found this example also
https://gist.github.com/neolitec/8953607.
I guess i will define a filter mapping in web.xml
Matthew
On 22/08/18 16:01, Romain Manni-Bucau wrote:
Hi Matthew,
tomcat does that because the spec does (even if several people ask to break
that limitation it is not yet done at servlet spec level)
that said to secure a rest endpoint you just need a filter in your app and
implement the security login in there. you can delegate to the container
(request.login()/request.logout()) or not depending what you want to do.
MP JWT Auth uses that typically:
https://github.com/apache/geronimo-jwt-auth/blob/master/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>
Le mer. 22 août 2018 à 15:55, Matthew Broadhead
<[email protected]> a écrit :
my webapp already has a login-config set to keycloak in web.xml so AFAIK
i cannot define any other security configs there. why doesn't tomcat
allow multiple security methods?
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>secure</realm-name>
</login-config>
is there another way to protect a jax-rs endpoint using basic auth
without having to create another webapp? i read something about valves...
