I'm using good ol' container-managed authentication and migrating to Acegi. I'm protecting *.html in my web.xml and I allow some URLs to pass through using a <security-constraint> with no <auth-contraint>:
With Acegi, I've been able to get all of this working, except for the unprotected pages. Is there a way to manipulate the following expression so that a couple of URLs aren't protected?
I'd rather not put these pages in a specific directory since I've (so far) been able to integrate Acegi w/o changing a single line of code. ;-)
<!-- All anyone to access passwordHint and signup --> <security-constraint> <web-resource-collection> <web-resource-name>Unrestricted</web-resource-name> <description>All users can view</description> <url-pattern>/passwordHint.html</url-pattern> <url-pattern>/signup.html</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> </security-constraint>
<property name="objectDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /*.html=Administrators </value> </property>