Configure Basic Authentication with Tomcat
While it is required to secure our web application, many a times securing our web application with Basic Authentication is all that is needed, or their might be a requirement wherein only a particular URL(s) (such as admin URLs) need to be authenticated.
It is simple and straight forward to configure Basic Authentication with Tomcat.
In Basic Authentication, the below steps happen
- If we try to hit a url of a web application that is protected and we are currently unauthenticated, a popup dialog appears and we enter a particular username/password, which gets sent to Tomcat.
- Tomcat verifies to see that the username and password match a user entry in tomcat-users.xml, and it makes sure that the user’s tomcat-users.xml role (or roles) match the role (or roles) that have access to your web application resource, which is specified in your web.xml file.
- If we have a match (username/password/role), the user gains access to the application resource.
If Tomcat is configured within Eclipse as described in the previous post then file tomcat-users.xml can be found as below.
else if you have a Tomcat instance running standalone then tomcat-users.xml can be found at
$CATALINA_HOME/conf/ where CATALINA_HOME is the directory where Apache Tomcat is installed.
Our tomcat-users.xml file is shown below. It has two roles called ‘tomcat‘ and ‘admin’, and three users — ‘user’, ‘super’, and ‘both’. The user ‘both’ has both ‘tomcat’ and ‘admin’ roles.
1 2 3 4 5 6 7 8 |
<?xml version="1.0" encoding="UTF-8"?> <tomcat-users> <role rolename="tomcat"/> <role rolename="admin"/> <user username="user" password="user" roles="tomcat"/> <user username="super" password="super" roles="admin"/> <user username="both" password="both" roles="tomcat,admin"/> </tomcat-users> |
Lets create a simple web application called ‘basic-authentication’ whose Project Structure looks as below.
In order to enable Basic Authentication for the above web application we go ahead and edit the web.xml and it looks something like this
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <display-name>Archetype Created Web Application</display-name> <security-constraint> <web-resource-collection> <web-resource-name>All URLs are protected</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>tomcat</role-name> </auth-constraint> <user-data-constraint> <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE --> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> </web-app> |
- The security-constraint element contains three parts- web-resource-collection, auth-constraint, and user-data-constraint.
- The web-resource-collection specifies the parts of our application that require authentication.
- The /* indicates that all the URLs in the application requires authentication.
- The http-method specifies which HTTP methods need to be protected, in our case it is GET and POST.
- The auth-constraint specifies the role that a user needs to have in order to access the protected resources.
- The user-data-constraint’s transport-guarantee can be NONE, CONFIDENTIAL, or INTEGRAL. Its is set to NONE in case of non-SSL environment
- The login-config element contains the auth-method element, which specifies the authentication method that we use, which is BASIC.
Once we hit the application URL in browser we get a authentication prompt something like this.
on successful Authentication we are allowed to access the application as below.
Download-Basic-Authentication-Tomcat-Project
I hope this has been useful for you and I’d like to thank you for reading. If you like this article, please leave a helpful comment and share it with your friends.