Securing web apps deployed in Apache Tomcat using HTTP Basic Authentication

If you want to protect set of resources in a web app using HTTP Basic Authentication, it is pretty easy. You only need to modify the web.xml which is located at wepAppRoot/WEB-INF/web.xml and add the following entries.

<web-app>

 <security-constraint>
   web resources that are protected
   <web-resource-collection>
     <web-resource-name>Axis2 web services</web-resource-name>
     <url-pattern>/services/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
     roles that are allowed to access the web resource specified above
     <role-name>ws-users</role-name>
   </auth-constraint>
 </security-constraint>

 <login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>nandana.org</realm-name>
 </login-config>

</web-app>

In this case, we allow only users with the role “ws-users” to access this resource. You can define the roles and users tomcat-users.xml file which can be found in tomcatRoot/conf/tomcat-users.xml. So in the above case, it will be something like

<tomcat-users>
 <role rolename="tomcat"/>
 <role rolename="ws-users"/>
 <user username="nandana" password="nandana" roles="ws-users"/>
 <user username="chamanthi" password="chamanthi" roles="ws-users"/>
</tomcat-users>

And that's it. Now if we try to access a resource which fall in to given url pattern, we will be authenticated using HTTP Basic authentication.

Bookmark this post with:

• 
• 
• 
• 
• 
• 
• 
• 
•