How to restrict access to web applications in Tomcat

October 07, 2009, 8:13 AM — You can create a realm in Tomcat, a container-managed authentication mechanism that allows you to protect all or part of your webapp by requiring a username and password before requests can be processed. To create a realm, you take the following steps:

1. In your Tomcat instance's conf/server.xml file, configure the element to require authentications for requests destined for your webapp or host, and configure the element to tell Tomcat where to look for user accounts and password information.

[ See also: How to configure Tomcat to always require HTTPS ]

2. In your webapp's WEB-INF/web.xml file, configure the security settings, including which URIs to secure, which authentication method to use (BASIC, DIGEST, FORM, or CLIENT-CERT), and whether to always use HTTPS.

Example:

By default, Tomcat includes a UserDatabase resource preconfigured in conf/servlet.xml:

    <Resource name="UserDatabase" auth="Container"
        type="org.apache.catalina.UserDatabase"
        description="User database that can be updated and saved"

    factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
        pathname="conf/tomcat-users.xml" />

This resource stores and retrieves user account information in conf/tomcat-users.xml. To declare a realm that uses this resource, you add a element, typically just below the element that configures your webapp:

    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
        resourceName="UserDatabase"/>

Next, you add a element to the to link the context to the realm:

    <Context path="" docBase="/opt/webapps/secretweb">
        <!-- Link to the user database we will get roles and users from. -->
        <ResourceLink name="users" global="UserDatabase"
            type="org.apache.catalina.UserDatabase"/>
    </Context>

Tomcat is now configured to use the realm UserDatabaseRealm. Next, you configure your webapp's web.xml file like this:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Top Secret Stuff</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>secretagent</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Top Secret Stuff</realm-name>
    </login-config>
    <security-role>
        <description>Roles that each qualify a user to authenticate.
        </description>
        <role-name>secretagent</role-name>
    </security-role>

This configuration specifies that any request destined for the webapp causes Tomcat to send a BASIC authentication challenge, which requires users to authenticate with a username and password. It also restricts access to users whose accounts have the "secretagent" role. You can grant users this role by configuring conf/tomcat-users.xml as follows:

<tomcat-users>
  <role rolename="secretagent"/>
  <user name="greg" password="007" roles="secretagent"/>
  <user name="ed" password="mycat" roles="secretagent"/>
  <user name="ken" password="mule" roles="secretagent"/>
</tomcat-users>

After you have finished configuring realms, resources, security, and users, restart Tomcat and try accessing the webapp. You should be prompted for a username and password.

For more information on how realms work and how to configure them, see http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html. For information on how the default configuration works, see the MemoryRealm page at http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#MemoryRealm.

Do you have a question on installing, configuring, or deploying Apache Tomcat? Submit it here.

___________________

Today's tip was provided by sdozen12 on behalf of MuleSoft

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.