Configure Basic Authentication with Tomcat

While it is required to secure our web application, many a times securing our web application with Basic Authentication is all that is needed, or their might be a requirement wherein only a particular URL(s) (such as admin URLs) need to be authenticated.

It is simple and straight forward to configure Basic Authentication with Tomcat.

In Basic Authentication, the below steps happen

  1. If we try to hit a url of a web application that is protected and we are currently unauthenticated, a popup dialog appears and we enter a particular username/password, which gets sent to Tomcat.
  2. Tomcat verifies to see that the username and password match a user entry in tomcat-users.xml, and it makes sure that the user’s tomcat-users.xml role (or roles) match the role (or roles) that have access to your web application resource, which is specified in your web.xml file.
  3. If we have a match (username/password/role), the user gains access to the application resource.

If Tomcat is configured within Eclipse as described in the previous post then file tomcat-users.xml can be found as below.


else if you have a Tomcat instance running standalone then tomcat-users.xml can be found at

$CATALINA_HOME/conf/ where CATALINA_HOME is the directory where Apache Tomcat is installed.

Our tomcat-users.xml file is shown below. It has two roles called ‘tomcat‘ and ‘admin’, and three users — ‘user’, ‘super’, and ‘both’. The user ‘both’ has both ‘tomcat’ and ‘admin’ roles.

Lets create a simple web application called ‘basic-authentication’ whose Project Structure looks as below.



In order to enable Basic Authentication for the above web application we go ahead and edit the web.xml and it looks something like this

  1. The security-constraint element contains three parts- web-resource-collection, auth-constraint, and user-data-constraint.
  2. The web-resource-collection specifies the parts of our application that require authentication.
  3. The /* indicates that all the URLs in the application requires authentication.
  4. The http-method specifies which HTTP methods need to be protected, in our case it is GET and POST.
  5. The auth-constraint specifies the role that a user needs to have in order to access the protected resources.
  6. The user-data-constraint’s transport-guarantee can be NONE, CONFIDENTIAL, or INTEGRAL. Its is set to NONE in case of non-SSL environment
  7. The login-config element contains the auth-method element, which specifies the authentication method that we use, which is BASIC.

Once we hit the application URL in browser we get a authentication prompt something like this.



on successful Authentication we are allowed to access the application as below.




I hope this has been useful for you and I’d like to thank you for reading. If you like this article, please leave a helpful comment and share it with your friends.

Leave a Reply

Your email address will not be published. Required fields are marked *