Menu
I'm trying to protect a resource in tomcat so that only "valid users" (those with a valid login and password in the realm) can access it. They do not necessarily belong to a group in the realm. I have tried with many combinations of the <security-constraint> directive without success. Any ideas?
832
Besides the auth-constraint you are adding to the security-constraint:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
you need specify the security role in the web-app:
<security-role>
<role-name>*</role-name>
</security-role>
There are several realm implementation in tomcat - memory, database, JAAS and more. The easiest one to configure (though not the most secure) the memory one, which contains a single XML file, usually under conf/tomcat-users.xml:
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>
The realm configuration is under the context, host or engine configurations, like this:
<Realm className="org.apache.catalina.realm.MemoryRealm"
pathname="conf/tomcat-users.xml" />
Then, in the web.xml you put the following definition:
<security-constraint>
<web-resource-collection>
<web-resource-name>MRC Customer Care</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>YOUR REALM NAME</realm-name>
</login-config>
<security-role>
<description>
The role that is required to access the application.
Should be on from the realm (the tomcat-users.xml file).
</description>
<role-name>role1</role-name>
</security-role>
The web.xml part is taken (with slight change) from one of our web apps.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
