Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Tomcat Password Protection

 
Kevin Wright
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there any way that I can add a password functionality to tomcat. For example, I want to create a set of pages that are password-protected. I don't want just a main page to log in to, (but that is my current only option) but I want to be able to send people links to certain pages, and the password authentication pop up when they link to that page...I hope that is clear...
Thanks,
Kevin Wright
 
Sam Dalton
Author
Ranch Hand
Posts: 170
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kevin,
The solution you are after is very simple to implement with Tomcat. There are a couple of simple steps that you need to perform, they are detailed below:
1) In your web.xml file for you webapp add lines like the following
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminResources</web-resource-name>
<url-pattern>admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Secure Area</realm-name>
</login-config>
The url-pattern lines indicate the urls to secure, for example the above will secure ALL files in the admin directory of my webapp (note: you can secure individual files as well)
2. Add you web app context to your server.xml file using a line line <Context path="/security" docBase="d:/jakarta-tomcat-4.0-b3/webapps/securityTest" debug="0" reloadable="true" crosscontext="true" trusted="true" />
3. Now add the usernames/passwords/roles to the tomcat-users.xml file. For example <user name="testuser" password="password" roles="admin" /> will create user called test user with the password, password, and assign them to a role of admin. In the above example they will be able to gain access to the admin directory of your web app. Roles can be comma seperated if a user is of 2 or more roles.
You can also store the users in a JDBC database, but this is a bit more involved. Post again if you want to know how to do this!

Hope this helps
Rgds
Sam
Originally posted by Kevin Wright:
Is there any way that I can add a password functionality to tomcat. For example, I want to create a set of pages that are password-protected. I don't want just a main page to log in to, (but that is my current only option) but I want to be able to send people links to certain pages, and the password authentication pop up when they link to that page...I hope that is clear...

Thanks,
Kevin Wright

 
Mike Curwen
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sam, I can't help but think you are knowledeable in the ways of Application Security.

Will you instruct this Jedi-apprentice and peek at this please? http://www.javaranch.com/ubb/Forum11/HTML/001224.html
Thanks.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic