Yes works, or even @WebFilter(urlPatterns="/*",asyncSupported=true)
Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance> Le mer. 22 août 2018 à 16:15, Matthew Broadhead <[email protected]> a écrit : > Hi Romain, > > Thanks. that was the conclusion was coming to. I am glad it is a valid > solution. I found this example also > https://gist.github.com/neolitec/8953607. > > I guess i will define a filter mapping in web.xml > > Matthew > > On 22/08/18 16:01, Romain Manni-Bucau wrote: > > Hi Matthew, > > > > tomcat does that because the spec does (even if several people ask to > break > > that limitation it is not yet done at servlet spec level) > > that said to secure a rest endpoint you just need a filter in your app > and > > implement the security login in there. you can delegate to the container > > (request.login()/request.logout()) or not depending what you want to do. > > MP JWT Auth uses that typically: > > > https://github.com/apache/geronimo-jwt-auth/blob/master/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java > > > > Romain Manni-Bucau > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > <https://rmannibucau.metawerx.net/> | Old Blog > > <http://rmannibucau.wordpress.com> | Github < > https://github.com/rmannibucau> | > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > < > https://www.packtpub.com/application-development/java-ee-8-high-performance > > > > > > > > Le mer. 22 août 2018 à 15:55, Matthew Broadhead > > <[email protected]> a écrit : > > > >> my webapp already has a login-config set to keycloak in web.xml so AFAIK > >> i cannot define any other security configs there. why doesn't tomcat > >> allow multiple security methods? > >> <login-config> > >> <auth-method>KEYCLOAK</auth-method> > >> <realm-name>secure</realm-name> > >> </login-config> > >> > >> is there another way to protect a jax-rs endpoint using basic auth > >> without having to create another webapp? i read something about > valves... > >> > >> > >
