How to restrict access to web applications in Tomcat

You can create a realm in Tomcat, a container-managed authentication mechanism that allows you to protect all or part of your webapp by requiring a username and password before requests can be processed. To create a realm, you take the following steps:

1. In your Tomcat instance's

conf/server.xml
file, configure the
<Realm>
element to require authentications for requests destined for your webapp or host, and configure the
<Resource>
element to tell Tomcat where to look for user accounts and password information.

[ See also: How to configure Tomcat to always require HTTPS ]

2. In your webapp's

WEB-INF/web.xml
file, configure the security settings, including which URIs to secure, which authentication method to use (BASIC, DIGEST, FORM, or CLIENT-CERT), and whether to always use HTTPS.

Example:

By default, Tomcat includes a UserDatabase resource preconfigured in

conf/servlet.xml
:

    <Resource name="UserDatabase" auth="Container"         type="org.apache.catalina.UserDatabase"         description="User database that can be updated and saved"     factory="org.apache.catalina.users.MemoryUserDatabaseFactory"         pathname="conf/tomcat-users.xml" />

This resource stores and retrieves user account information in

conf/tomcat-users.xml
. To declare a realm that uses this resource, you add a
<Realm>
element, typically just below the
<Host>
element that configures your webapp:

    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"         resourceName="UserDatabase"/>

Next, you add a

<ResourceLink>
element to the
<Context>
to link the context to the realm:

    <Context path="" docBase="/opt/webapps/secretweb">         <!-- Link to the user database we will get roles and users from. -->         <ResourceLink name="users" global="UserDatabase"             type="org.apache.catalina.UserDatabase"/>     </Context>

Tomcat is now configured to use the realm

UserDatabaseRealm
. Next, you configure your webapp's
web.xml
file like this:

    <security-constraint>         <web-resource-collection>             <web-resource-name>Top Secret Stuff</web-resource-name>             <url-pattern>/*</url-pattern>         </web-resource-collection>         <auth-constraint>             <role-name>secretagent</role-name>         </auth-constraint>     </security-constraint>     <login-config>         <auth-method>BASIC</auth-method>         <realm-name>Top Secret Stuff</realm-name>     </login-config>     <security-role>         <description>Roles that each qualify a user to authenticate.         </description>         <role-name>secretagent</role-name>     </security-role>

This configuration specifies that any request destined for the webapp causes Tomcat to send a BASIC authentication challenge, which requires users to authenticate with a username and password. It also restricts access to users whose accounts have the "secretagent" role. You can grant users this role by configuring

conf/tomcat-users.xml
as follows:

<tomcat-users>   <role rolename="secretagent"/>   <user name="greg" password="007" roles="secretagent"/>   <user name="ed" password="mycat" roles="secretagent"/>   <user name="ken" password="mule" roles="secretagent"/> </tomcat-users>

After you have finished configuring realms, resources, security, and users, restart Tomcat and try accessing the webapp. You should be prompted for a username and password.

For more information on how realms work and how to configure them, see http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html. For information on how the default configuration works, see the MemoryRealm page at http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#MemoryRealm.

Do you have a question on installing, configuring, or deploying Apache Tomcat? Submit it here.

___________________

Today's tip was provided by sdozen12 on behalf of MuleSoft

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies