Last Updated on January 11, 2020

This post demonstrates how to use BASIC Authentication in a web application in Java using Tomcat.

Contents

1 Requirements
2 Users and Roles
3 Update web.xml
4 SSL
5 References

Requirements

Tomcat 8.5.37
Open JDK 1.8.0_192

Users and Roles

Update conf/tomcat-users.xml with the following roles and users.

<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
  <role rolename="role1"/>
  <role rolename="role2"/>
  <user username="karl" password="password" roles="role1, role2"/>
</tomcat-users>

<tomcat-users xmlns="http://tomcat.apache.org/xml"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"

version="1.0">

</tomcat-users>

Update web.xml

Then, modify web.xml with the following security-constraint and login-config elements.

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>all-protected</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
		<auth-constraint>
			<role-name>role1</role-name>
		</auth-constraint>
		<user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Turreta.com</realm-name>
    </login-config>	
</web-app>

<?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"

version="4.0">

<security-constraint>

<web-resource-collection>

<web-resource-name>all-protected</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>role1</role-name>

</auth-constraint>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

<login-config>

<auth-method>BASIC</auth-method>

<realm-name>Turreta.com</realm-name>

</login-config>

</web-app>

Here we wanted to restrict the whole application.

SSL

The CONFIDENTIAL value for transport-guarantee element forces the authentication process to be done in SSL.

References

https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html

Java Web Application BASIC Authentication in Tomcat

Requirements

Users and Roles

Update web.xml

SSL

References

Karl San Gabriel

Requirements

Users and Roles

Update web.xml

SSL

References

Related posts:

Karl San Gabriel