Centrally secure all tomcat webapps using BASIC authentication

Question

I have a Tomcat 6 server containing three webapps: a custom one as ROOT, Jenkins and Nexus.

I would like to secure all three centrally (server.xml?) using BASIC authentication.

How can I achieve this without modifying or configuring the webapps themselves?

Answer 1

First I tried (without success) to include the BasicAuthenticator valve in conf/context.xml. This didn't seem to have any effect.

Finally I got it to work (secured all webapps) by adding this snippet to conf/web.xml :

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Basic Authentication</web-resource-name>
<!--Here wildcard entry defines authentication is needed for whole app -->
            <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>myrole</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

<security-role>
    <description>My role</description>
    <role-name>myrole</role-name>
</security-role>

Answer 2

Two ways come to mind:

1. You can modify conf/context.xml, which gets included by all webapps, and insert the authentication directives in there. The disadvantage is that you cannot exclude one webapp from the authentication as far as I know, and all webapps will share the same role requirements (although that sounds like what you need)
2. You can implement the security via apache or some other webserver running in front of Tomcat. This makes sense especially if you already have one.