Java

Java EE

You are able to identify enpoints which does not require authentication by looking at web.xml file inside application related folder.

Web.xml analysis

There are a few ways to force authentication on endpoints in web.xml. In order to select the endpoints without authentication look for functions without:

<security-constraint>
<login-config>
<security-role>

Example:

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" version="3.1">

    <!-- 1. Endpoint that requires authentication -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Secure Area</web-resource-name>
            <url-pattern>/secure/*</url-pattern> <!-- Protected endpoint -->
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name> <!-- Only admin can access -->
        </auth-constraint>
    </security-constraint>

    <!-- 2. Public endpoint (no authentication required) -->
    <!-- No security-constraint for /public/* -->
    <!-- This means /public/* is accessible to everyone -->

    <!-- Authentication method configuration -->
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/loginError.jsp</form-error-page>
        </form-login-config>
    </login-config>

    <!-- Security roles -->
    <security-role>
        <role-name>admin</role-name>
    </security-role>

</web-app>

IDE Search tips:

security-constraint → shows all security-restricted endpoints.
auth-constraint → confirms which endpoints need authentication.
url-pattern → to see all mapped endpoints (both protected and public).
login-config → shows the type of authentication used (FORM, BASIC, DIGEST, CLIENT-CERT).

Spring Boot

Unlike Java EE in Spring Boot we usually determine authentication in Java Class. If one of the class has annotation like:

@EnableWebSecurity

or extends:

WebSecurityConfigurerAdapter
SecurityFilterChain

Example:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(auth -> auth
            .antMatchers("/public/**").permitAll()     // no auth required
            .antMatchers("/admin/**").hasRole("ADMIN") // requires auth
            .anyRequest().authenticated()
        )
        .formLogin(Customizer.withDefaults());
    return http.build();
}

IDE Search tips:

IDE Search: Search for keywords:
- authenticated(
- hasRole
- @PreAuthorize
- @Secured
Spring Boot Actuator: If enabled, it can list all endpoints (/actuator/mappings).

PreviousLooking for unauthenticated endpoints NextType Juggling [archived]

Last updated 4 months ago