How to use htpasswd protection in Tomcat?

Question

I have already created a user database file using Apache's htpasswd command. This file is now used by several other application like apache and subversion.

Users in are created like this:

htpasswd /path/to/users.htpasswd peter

This user file is global, not per directory.

How I can make Tomcat 6 use this same file as a security realm?

Answer 1

Most similar to the htpasswd may be the MemoryRealm. I had problems myself to find a simple example how to use it, so I'll post an easy example code here:

1. Set up a role, username and password in tomcat-users.xml

2. Your web.xml should contain something like:

      <security-constraint>
        <web-resource-collection>
         <web-resource-name> 
           My Protected WebSite 
         </web-resource-name>
         <url-pattern> /* </url-pattern>
         <http-method> GET </http-method>
         <http-method> POST </http-method>
       </web-resource-collection>
       <auth-constraint>
       <!-- the same like in your tomcat-users.conf file -->
         <role-name> test </role-name>
       </auth-constraint>
     </security-constraint>
      <login-config>
       <auth-method> BASIC </auth-method>
       <realm-name>  Basic Authentication </realm-name>
     </login-config>
     <security-role>
       <description> Test role </description>
       <role-name> test </role-name>
     </security-role>
   

3. Add this to your server.xml file:

   <Realm className="org.apache.catalina.realm.MemoryRealm"></Realm>
   

Answer 2

To secure access to your Tomcat webapp, you can implement your simple security constraint (e.g. in /var/lib/tomcat7/webapps/*/WEB-INF/web.xml) as below (just add it before </web-app> ending):

<!-- This security constraint protects your webapp interface. -->
<login-config>
  <!-- Define the Login Configuration -->
  <auth-method>BASIC</auth-method>
  <realm-name>Webapp</realm-name>
</login-config>
<security-constraint>
  <web-resource-collection>
    <web-resource-name>Admin</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>*</role-name>
  </auth-constraint>
  <!-- Specifying a Secure Connection -->
  <user-data-constraint>
    <!-- transport-guarantee can be CONFIDENTIAL (forced SSL), INTEGRAL, or NONE -->
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<!-- Authorization, see: tomcat-users.xml --> 
<security-role>
  <role-name>*</role-name>
</security-role>

The login-config element contains the auth-method element, which specifies the authentication method that we use, which is BASIC. The security-constraint element contains 3 elements: web-resource-collection, auth-constraint, and user-data-constraint. The web-resource-collection specifies the parts of our application that require authentication. The /* indicates that the whole application requires authentication. The auth-constraint specifies the role that a user needs to have in order to access the protected resources. The user-data-constraint's transport-guarantee can be NONE, CONFIDENTIAL or INTEGRAL. We set it to NONE, which means that redirecting to SSL is not required when you try to hit the protected resource.

Also make sure that you've line:

<Realm className="org.apache.catalina.realm.MemoryRealm" />

inside your conf/server.xml (Engine section).

If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation (locate tomcat-users.xml). That file must contain the credentials to let you use Tomcat webapp.

For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above:

<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>

Then you can access your webapps manager from /manager/html (e.g. reloading after config changes).

Read more: Manager App HOW-TO.

Then restart your Tomcat and when accessing your webapp, it should ask you for the right credentials.

See also:

• HTTP Basic Authentication in Java at Oracle site
• Specifying an Authentication Mechanism in Java at Oracle site
• Realm Configuration HOW-TO at Apache Tomcat site
• Setting up role based security in tomcat
• How do I use Basic authentication with Tomcat?

Answer 3

There are two options:

1. Use Apache as a front end to the tomcat (using either mod_jk or mod_proxy_ajp) and the Apache do the authentication. You can find details on how to do so here

2. If you want the tomcat to do the authentication, then you need ot use something else than the htpasswd file. There are 4 ways to save the users' credentials - using database, JNDI/LDAP, an XML file or a JAAS provider. You can read about all the options in the Realm Configuration HOW-TO.