I'm trying to lock down a webservice using tomcat and Javax restful webservices. Some of the endpoints need to be available to the public, but by default they should require an authenticated user.
What I would like to do is something like this
With the end goal being that the developer has to actively go out and specify which methods don't require authentication (Rather than requiring the developer to actively secure endpoints).
Any thoughts on how to best go about this? I would really like it if somehow I could apply an annotation and then in something like a serverlet filter check for the existence of that annotation to determine what should be done about authentication.
I don't really want the route of "Apply the authentication filter to all resources in this path", though that would accomplish the same task. (What I don't like about that is it requires specific knowledge that all endpoints in path X are secured while endpoints in path Y are not. I would rather say "All endpoints are secured unless specifically excluded").