How to restrict access to web applications in Tomcat

You can create a realm in Tomcat, a container-managed authentication mechanism that allows you to protect all or part of your webapp by requiring a username and password before requests can be processed. To create a realm, you take the following steps:

1. In your Tomcat instance's

file, configure the
element to require authentications for requests destined for your webapp or host, and configure the
element to tell Tomcat where to look for user accounts and password information.

[ See also: How to configure Tomcat to always require HTTPS ]

2. In your webapp's

file, configure the security settings, including which URIs to secure, which authentication method to use (BASIC, DIGEST, FORM, or CLIENT-CERT), and whether to always use HTTPS.


By default, Tomcat includes a UserDatabase resource preconfigured in


    <Resource name="UserDatabase" auth="Container"         type="org.apache.catalina.UserDatabase"         description="User database that can be updated and saved"     factory="org.apache.catalina.users.MemoryUserDatabaseFactory"         pathname="conf/tomcat-users.xml" />

This resource stores and retrieves user account information in

. To declare a realm that uses this resource, you add a
element, typically just below the
element that configures your webapp:

    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"         resourceName="UserDatabase"/>

Next, you add a

element to the
to link the context to the realm:

    <Context path="" docBase="/opt/webapps/secretweb">         <!-- Link to the user database we will get roles and users from. -->         <ResourceLink name="users" global="UserDatabase"             type="org.apache.catalina.UserDatabase"/>     </Context>

Tomcat is now configured to use the realm

. Next, you configure your webapp's
file like this:

    <security-constraint>         <web-resource-collection>             <web-resource-name>Top Secret Stuff</web-resource-name>             <url-pattern>/*</url-pattern>         </web-resource-collection>         <auth-constraint>             <role-name>secretagent</role-name>         </auth-constraint>     </security-constraint>     <login-config>         <auth-method>BASIC</auth-method>         <realm-name>Top Secret Stuff</realm-name>     </login-config>     <security-role>         <description>Roles that each qualify a user to authenticate.         </description>         <role-name>secretagent</role-name>     </security-role>

This configuration specifies that any request destined for the webapp causes Tomcat to send a BASIC authentication challenge, which requires users to authenticate with a username and password. It also restricts access to users whose accounts have the "secretagent" role. You can grant users this role by configuring

as follows:

<tomcat-users>   <role rolename="secretagent"/>   <user name="greg" password="007" roles="secretagent"/>   <user name="ed" password="mycat" roles="secretagent"/>   <user name="ken" password="mule" roles="secretagent"/> </tomcat-users>

After you have finished configuring realms, resources, security, and users, restart Tomcat and try accessing the webapp. You should be prompted for a username and password.

For more information on how realms work and how to configure them, see For information on how the default configuration works, see the MemoryRealm page at

Do you have a question on installing, configuring, or deploying Apache Tomcat? Submit it here.


Today's tip was provided by sdozen12 on behalf of MuleSoft

Want to cash in on your IT savvy? Send your tip to If we post it, we'll send you a $25 Amazon e-gift card.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon