I believe that you need to password protect at the servlet container level. Do you use Tomcat? Here is what I used to configure basic authentication with Tomcat 6:
web.xml
<security-constraint> <web-resource-collection> <web-resource-name>Sesame Workbench</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>sesame-user</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Sesame Workbench</realm-name> </login-config> <security-role> <description>The role required for Sesame workbench</description> <role-name>sesame-user</role-name> </security-role>
users.xml-cat
<role rolename="sesame-user"/> <user username="workbench" password="workbench" roles="sesame-user"/>