Restrict access to web applications in Tomcat

jason s · #1 (**permalink**) 10-08-09, 20:52

In order to protect your web application, you can create a realm in Tomcat. It will be a container-managed mechanism. It saves your webapp by requiring a password and username before preceding to requests. Follow the below given steps to create realm:

Step 1. In the conf/server.xml file of Tomcat instance, configure the element required for authentications for requests which are destined for your webapp. Now configure the element in order to tell Tomcat where to look for passwords and user accounts.

Step 2. Configure the security settings in your WEB-INF/web.xml file. This will also include Which authentication method to use DIGEST, FORM, CLIENT-CERT BASIC, Whether t o use HTTPS and which URL’s to be secured.

For Example:

There is a UserDatabase in Tomcat preconfigured in conf/servlet.xml:

HTML Code:

<Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"

factory="org.apache.catalina.users.MemoryUserDatabaseFactory"

pathname="conf/tomcat-users.xml" />

This resource retrieves and stores user account information in conf/tomcat-users.xml. If you want add a realm that will use this resource, you have you add a element just below the element that configures your webapp:

HTML Code:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>

Further you add an element to the link context to the realm:

HTML Code:

<Context path="" docBase="/opt/webapps/secretweb">
<!-- Link to the user database we will get roles and users from. -->

<ResourceLink name="users" global="UserDatabase"
type="org.apache.catalina.UserDatabase"/> </Context>

Tomcat is now configured and it can use the realm UserDatabaseRealm. Following this your next step should be configuring your webapp’s web.xml file like this:

HTML Code:

<security-constraint>
<web-resource-collection>
<web-resource-name>Top Secret Stuff</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>secretagent</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Top Secret Stuff</realm-name>
</login-config>
<security-role>
<description>Roles that each qualify a user to authenticate.
</description>
<role-name>secretagent</role-name>
</security-role>

This configuration will specify that any request destined for the webapp causes Tomcat to send a BASIC authentication challenge which will ask users to prove authentication by providing username and password. It will further restricts the access to users whose accounts have the “seceretagnet” role, for granting users with this role you will have to configure conf/tomcat-users.xml:

PHP Code:


			
<tomcat-users>

<role rolename="secretagent"/>

<user name="greg" password="007" roles="secretagent"/>

<user name="ed" password="mycat" roles="secretagent"/>

<user name="ken" password="mule" roles="secretagent"/>

</tomcat-users>

Once you are finished with configuring resources, realms, security and users restart Tomcat and try accessing the webapp. You should be driven for username and password

paceer9 · #2 (**permalink**) 03-08-10, 00:29

n the conf/server.xml file of Tomcat instance, configure the element required for authentications for requests which are destined for your webapp. Now configure the element in order to tell Tomcat where to look for passwords and user accounts.