Leon, Is it a requirement for you to use BASIC auth? or could you use something like the Remote Address Filter to restrict by IP address?
https://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Address_Filter If you configure this valve in the restricted environment you can then control who can access to just that environment. Dan On Thu, 2011-11-03 at 10:10 -0700, Leon Rosenberg wrote: > Hello, > > I have a situation where an application is accessable from outside in > staging and production environment, but shouldn't be open for public > in staging environment. > What we did so far was, that we excluded everyone via web.xml: > > > <!-- security configuration --> > <login-config> > <auth-method>BASIC</auth-method> > </login-config> > <security-role> > <role-name>my-access</role-name> > </security-role> > <security-constraint> > <display-name>blub</display-name> > <web-resource-collection> > <web-resource-name>myres</web-resource-name> > <url-pattern>*.html</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>my-access</role-name> > </auth-constraint> > </security-constraint> > <!-- /security configuration --> > > Is there any possibility to make this conditional, depending on an > environment property? Is there any other opportunity to achieve the > same? > Currently we have to kill the above lines from web.xml after each > deployment and this sucks ;-( > > regards > Leon > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >