I’ve used Struts2 and Glassfish to create a web-app which has two user roles: user, and admin. I would like all actions to be constrained to the admin role by default, and a subset of the actions to be available to the "basic" user. I guess this can be achieved by for the admin-role. But, and here is the problem, I also have a login-action and a registration-action (register new users) which should be available for everybody, and the *-constraint will not allow this. So is there a way to create a security-constraint which applies to users that are not logged in? Is there a default user-role which applies to users that are not logged in? Or any other way to create an exception to a "default" security-constraint?
Or is the only solution to name all actions explicitly for all constraints, and leave out the register- and login-action (i.e. no "default" security-constraint)