Confused Development

I develop software and I often get confused in the process. I usually find the answers after a while, but a month later I can't remember them. So from now on, I will write them down here.

Monday, October 15, 2007

Realm-based authentification for Tomcat Web Apps

I needed to find out how to secure a Tomcat Web App with a password, and found the answer here. Basically, you need to edit the Web app's web.xml and add this little piece of xml to it:
<!-- Define a security constraint on this application -->
<security-constraint>
  <web-resource-collection>
    <web-resource-name>Entire Application</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <!-- This role is not in the default user directory -->
    <role-name>manager</role-name>
  </auth-constraint>
</security-constraint> 			
<!-- Define the login configuration for this application -->
<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Tomcat Manager Application</realm-name>
</login-config>
This is enough if you want to protect the Web app with the same password as the manager application (changing the realm name would probably make sense). If you want to define a new role for this Web app, you can do it as follows (again taking the example from the manager, so change the description and role name):
<!-- Security roles referenced by this web application -->
<security-role>
  <description>
    The role that is required to log in to the Manager Application
  </description>
  <role-name>manager</role-name>
</security-role>
All that needs to be done now is to reload your Web app.

1 Comments:

At 8:42 pm, Blogger just another blog... said...

but its not working if i provide that alonee for new role. Should i have to provide any in context xml ans server.xml

 

Post a Comment

<< Home