Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
The moose likes Tomcat and the fly likes How to password-protect ALL of Tomcat? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "How to password-protect ALL of Tomcat?" Watch "How to password-protect ALL of Tomcat?" New topic

How to password-protect ALL of Tomcat?

pat larser

Joined: Mar 03, 2011
Posts: 4
I recently deployed Tomcat with a webapp (Zilverline). I had no problems creating a password protection on the webapp directory (http://localhost:8080/zilverline). But I am unconfortable keeping port 8080 open without password protection. Right now if I just go to http://localhost:8080, it's a blank page because I removed all other webapps for security. But can I password protect just everything?

Thank you.
Tom Reilly

Joined: Jun 01, 2010
Posts: 618
I can't answer your specific question but recommend that you consider using SSL. You see that as https in the browser. The default port for using SSL is 443. Even if you password protect all the applications, the passwords are sent in the clear when you don't use SSL. That is, the passwords are sent as regular text so anyone with a network sniffer can see them.
Stefan Evans

Joined: Jul 06, 2005
Posts: 1580
You can only password protect each seperate web application in its own web.xml file.

So you need to configure a web application that, and has the same configuration settings which disallow access.
Essentially that is a standard web application with its context path set to empty string.

docs link

pat larser

Joined: Mar 03, 2011
Posts: 4
Thank you to both of you!
I was able to VERY EASILY implement SSL using the 2-step process found on Tomcat's site
I also created an empty ROOT webapp that was password protected as well so that *hopefully* nothing should be openly accessible.

Thanks again!
I agree. Here's the link:
subject: How to password-protect ALL of Tomcat?
It's not a secret anymore!