Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I provide basic http authentication for static tomcat webapps without changing tomcat-users.xml?

I have access to the tomcat manager and can upload war-files. One of these wars is a static web project (zipped html + media files, renamed to *.war). I want add a Web-INF/web.xml file to this war to protect the content with basic http auth.

I know how to do this by adding global users and assigning roles in the tomcat-users.xml, but I want to have all usernames and passwords defined in my war-file.

  1. Can this be done without touching the tomcat's tomcat-users.xml?
  2. And if yes, how do I specify this in my static project's web.xml?

Thx, Juve

like image 990
Juve Avatar asked Oct 11 '11 12:10

Juve


People also ask

How do I use basic authentication with Tomcat?

In Basic authentication, if you try to hit a web application url that is protected and you are currently unauthenticated, a popup window appears and you enter a particular username/password, which gets sent to Tomcat. Tomcat checks to see that the sent username and password match a user entry in tomcat-users.

What is Tomcat-users XML?

xml file for Apache Tomcat 7 web server. tomcat-users. xml is the default user database for container-managed authentication in Tomcat.


2 Answers

I found a solution here: http://wiki.metawerx.net/wiki/SecuringYourSiteWithContainerManagedSecurity

The page describes how to define your own META-INF/context.xml pointing to your own WEB-INF/users.xml. Unfortunately, the link to the users.xml file has to be absolute, and I do not want to make any assumptions on the OS/filesystem paths in my config files.

Here is my current WEB-INF/web.xml:

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app
    xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd"
    version="2.5">

    <display-name>SuperCoolTool</display-name>
    <description>What an awesome app!</description>

    <security-role>
        <role-name>manager</role-name>
    </security-role>
    <security-role>
        <role-name>keyuser</role-name>
    </security-role>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>
                Entire Application
            </web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>keyuser</role-name>
            <role-name>manager</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Evaluation Area</realm-name>
    </login-config>

</web-app> 

An matching META-INF/context.xml would look like this:

<?xml version="1.0" encoding="UTF-8"?>
<Context>
    <Realm className="org.apache.catalina.realm.MemoryRealm"
           pathname="[PATH-TO-YOUR-WEBAPP]/WEB-INF/users.xml"/>
</Context>
like image 61
Juve Avatar answered Oct 24 '22 21:10

Juve


If you know the directory where tomcat puts all deployed apps you can use relative paths (because they are resolved in relation to catalina.base env.variable, i.e. tomcat home).

For example, if you are deploying using eclipse IDE, usually apps are deployed in wtpwebapps, so you can use:

<Realm className="org.apache.catalina.realm.MemoryRealm"
pathname="wtpwebapps/YOUR_APP_NAME/WEB-INF/users.xml"/>

Not perfect yet, but at least you are not using full paths.

An alternative, would be to implement your own Realm that extends MemoryRealm and pre-processes the pathname before calling super.setPathname();

You can also go for a DataSourceRealm, which does not have this problem and its suitable for production.

For servlet container independent approach you can use a security framework based on filters (e.g. Spring security, ...)

like image 31
Jorge Simão Avatar answered Oct 24 '22 22:10

Jorge Simão