While it is required to secure our web application, many a times securing our web application with Basic Authentication is all that is needed, or their might be a requirement wherein only a particular URL(s) (such as admin URLs) need to be authenticated.
It is simple and straight forward to configure Basic Authentication with Tomcat.
In Basic Authentication, the below steps happen
- If we try to hit a url of a web application that is protected and we are currently unauthenticated, a popup dialog appears and we enter a particular username/password, which gets sent to Tomcat.
- Tomcat verifies to see that the username and password match a user entry in tomcat-users.xml, and it makes sure that the user’s tomcat-users.xml role (or roles) match the role (or roles) that have access to your web application resource, which is specified in your web.xml file.
- If we have a match (username/password/role), the user gains access to the application resource.
If Tomcat is configured within Eclipse as described in the previous post then file tomcat-users.xml can be found as below.
else if you have a Tomcat instance running standalone then tomcat-users.xml can be found at
$CATALINA_HOME/conf/ where CATALINA_HOME is the directory where Apache Tomcat is installed.
Our tomcat-users.xml file is shown below. It has two roles called ‘tomcat‘ and ‘admin’, and three users — ‘user’, ‘super’, and ‘both’. The user ‘both’ has both ‘tomcat’ and ‘admin’ roles.
<?xml version="1.0" encoding="UTF-8"?>
<user username="user" password="user" roles="tomcat"/>
<user username="super" password="super" roles="admin"/>
<user username="both" password="both" roles="tomcat,admin"/>
Lets create a simple web application called ‘basic-authentication’ whose Project Structure looks as below.
In order to enable Basic Authentication for the above web application we go ahead and edit the web.xml and it looks something like this
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
<display-name>Archetype Created Web Application</display-name>
<web-resource-name>All URLs are protected</web-resource-name>
<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
- The security-constraint element contains three parts- web-resource-collection, auth-constraint, and user-data-constraint.
- The web-resource-collection specifies the parts of our application that require authentication.
- The /* indicates that all the URLs in the application requires authentication.
- The http-method specifies which HTTP methods need to be protected, in our case it is GET and POST.
- The auth-constraint specifies the role that a user needs to have in order to access the protected resources.
- The user-data-constraint’s transport-guarantee can be NONE, CONFIDENTIAL, or INTEGRAL. Its is set to NONE in case of non-SSL environment
- The login-config element contains the auth-method element, which specifies the authentication method that we use, which is BASIC.
Once we hit the application URL in browser we get a authentication prompt something like this.
on successful Authentication we are allowed to access the application as below.
I hope this has been useful for you and I’d like to thank you for reading. If you like this article, please leave a helpful comment and share it with your friends.