This may seem a strange question. but I want to do the following:
Switch off web-app security
Retain the <security-constraint> sections in the web.xml of the web apps.
The reason for this is that we need to enforce security on the web app in question on both JBoss and Websphere, but for reasons outside our control, the websphere JAAS cannot be switched on in time for deployment. Hence I am creating a ServletFilter to perform the security. I am parsing the web.xml for the security restrictions in order that when JAAS is finally switched on we can make the switch by simply removing the filter.
The problem I am having with JBoss is that JAAS works fine, but I can't seem to get rid of it to test the filter without removing the <security-constraint>'s from web.xml, and thus losing the security information I need for the filter to work properly!
Not going to happen without replacing the jboss security layer.