I recently deployed Tomcat with a webapp (Zilverline). I had no problems creating a password protection on the webapp directory (http://localhost:8080/zilverline). But I am unconfortable keeping port 8080 open without password protection. Right now if I just go to http://localhost:8080, it's a blank page because I removed all other webapps for security. But can I password protect just everything?
I can't answer your specific question but recommend that you consider using SSL. You see that as https in the browser. The default port for using SSL is 443. Even if you password protect all the applications, the passwords are sent in the clear when you don't use SSL. That is, the passwords are sent as regular text so anyone with a network sniffer can see them.
You can only password protect each seperate web application in its own web.xml file.
So you need to configure a web application that, and has the same configuration settings which disallow access.
Essentially that is a standard web application with its context path set to empty string.
Thank you to both of you!
I was able to VERY EASILY implement SSL using the 2-step process found on Tomcat's site I also created an empty ROOT webapp that was password protected as well so that *hopefully* nothing should be openly accessible.