Jacc Delegation For Unsecured Web Resources
Based on JBAS-2519, starting jboss-4.0.4.GA, it is possible to delegate to a JACC provider for resources that are not secured via the web.xml security constraints.
There is an attribute on the JACCAuthorizationRealm that needs to be enabled. It is called as unprotectedResourceDelegation.
When this flag is enabled, the JACCAuthorizationRealm will look for an implementation of "findSecurityConstraints"
from either the JACC policy provider or a special provider class that is plugged in via the
<Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm" unprotectedResourceDelegation="true" securityConstraintProviderClass="org.jboss.test.security.test.CustomSecurityConstraintProvider" certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"></Realm>