I am developing a web application using (JSP + Servlet) and I used Tomcat 7.0.33 as a web container .
So my requirement is that every application in tomcat will be password protected, just like a manager application in tomcat will be protected.
So far I have been doing the following:
server.xml
<Realm className="org.apache.catalina.realm.MemoryRealm" />
users.xml-cat
<tomcat-users> <role rolename="tomcat"/> <role rolename="manager-gui"/> <role rolename="role1" /> <user username="tomcat" password="tomcat" roles="role1,tomcat,manager-gui"/> <user username="role1" password="tomcat" roles="role1"/> </tomcat-users>
web.xml
<security-role> <role-name>role1</role-name> </security-role> <security-role> <role-name>tomcat</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>webappname</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>role1</role-name> <role-name>tomcat</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>webappname</realm-name> </login-config>
It works great when someone opens an application along the application path (it asks for a username and password, and the application accepts role1 or tomcat for authentication).
But the problem is that if I log in as a tomcat user who has all the roles, and when the manager screen is displayed that lists all the applications deployed on the server, then if I try to open mywebapplication then it asks for the name user and password.
My question is, if I assigned all roles to tomcat , then why does it ask for a password if I have a login like tomcat ? is there any way to avoid this?
Thanks in advance.
source share