Geek Answers Handbook

How to use htpasswd protection in Tomcat?

I have already created a user database file using the Apache htpasswd command. This file is now used by several other applications, such as apache and subversion.

Users are created as follows:

htpasswd /path/to/users.htpasswd peter

This user file is global, not a directory.

How can I get Tomcat 6 to use this file as a security area?

+4
source share
3 answers

There are two options:

  • Use Apache as the front end of tomcat (using mod_jk or mod_proxy_ajp) and Apache will authenticate. You can find detailed information on how to do it here.

  • If you want tomcat to authenticate, you need to use something else besides the htpasswd file. There are 4 ways to save user credentials - using a database, JNDI / LDAP, XML file, or JAAS provider. You can read about all the options in Realm Configuration HOW-TO .

+1
source

The most similar to htpasswd might be MemoryRealm . I had problems with myself to find a simple example of how to use it, so I will post a simple code example here:

  • Configure the role, username and password in tomcat-users.xml

  • Your web.xml should contain something like:

      <security-constraint> <web-resource-collection> <web-resource-name> My Protected WebSite </web-resource-name> <url-pattern> /* </url-pattern> <http-method> GET </http-method> <http-method> POST </http-method> </web-resource-collection> <auth-constraint> <!-- the same like in your tomcat-users.conf file --> <role-name> test </role-name> </auth-constraint> </security-constraint> <login-config> <auth-method> BASIC </auth-method> <realm-name> Basic Authentication </realm-name> </login-config> <security-role> <description> Test role </description> <role-name> test </role-name> </security-role>

  • Add this to the server.xml file:

     <Realm className="org.apache.catalina.realm.MemoryRealm"></Realm>
+2
source

To provide access to your Tomcat website, you can implement your simple security restriction (e.g. in /var/lib/tomcat7/webapps/*/WEB-INF/web.xml ) as shown below (just add it before the end </web-app> ):

 <!-- This security constraint protects your webapp interface. --> <login-config> <!-- Define the Login Configuration --> <auth-method>BASIC</auth-method> <realm-name>Webapp</realm-name> </login-config> <security-constraint> <web-resource-collection> <web-resource-name>Admin</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <!-- Specifying a Secure Connection --> <user-data-constraint> <!-- transport-guarantee can be CONFIDENTIAL (forced SSL), INTEGRAL, or NONE --> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Authorization, see: tomcat-users.xml --> <security-role> <role-name>*</role-name> </security-role>

The login-config element contains the auth-method element, which specifies the authentication method that is used, BASIC . The security-constraint element contains 3 elements: web-resource-collection , auth-constraint and user-data-constraint . The web resource collection lists parts of our application that require authentication. /* indicates that authentication is required for the entire application. The auth constraint defines the role that a user must have in order to access protected resources. The transport guarantee for user data restrictions can be NONE , CONFIDENTIAL or INTEGRAL . We set it to NONE , which means that redirection to SSL not required when you try to get into a protected resource.

Also make sure you have the line:

 <Realm className="org.apache.catalina.realm.MemoryRealm" />

inside the conf/server.xml ( Engine ) section.

If you have not changed any configuration files, view the conf/tomcat-users.xml in your installation ( locate tomcat-users.xml ). This file must contain credentials that allow you to use Tomcat webapp.

For example, to add the gui manager role to a user named tomcat with the password s3cret , add the following to the configuration file above:

 <role rolename="manager-gui"/> <user username="tomcat" password="s3cret" roles="manager-gui"/>

You can then access your webapps manager from /manager/html (e.g. rebooting after configuration changes).

Read more: App Manager HOW-TO .

Then restart Tomcat and, turning to your webapp, it will ask you to enter the correct credentials.

See also:

+2
source

More articles:


All Articles