How can I restrict access to my web application in Tomcat?

You can create a realm in Tomcat, a container-managed authentication mechanism that allows you to protect all or part of your webapp by requiring a username and password before requests can be processed. To create a realm, you take the following steps:

1. In your Tomcat instance’s conf/server.xml file, configure the <Realm> element to require authentications for requests destined for your webapp or host, and configure the <Resource> element to tell Tomcat where to look for user accounts and password information.
2. In your webapp’s WEB-INF/web.xml file, configure the security settings, including which URIs to secure, which authentication method to use ((BASIC, DIGEST, FORM, or CLIENT-CERT), and whether to always use HTTPS.

Example:

By default, Tomcat includes a UserDatabase resource preconfigured in conf/servlet.xml:

    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
 

This resource stores and retrieves user account information in conf/tomcat-users.xml. To declare a realm that uses this resource, you add a <Realm> element, typically just below the <Host> element that configures your webapp:

      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>
 

Next, you add a <ResourceLink> element to the <Context> to link the context to the realm:

    <Context path="" docBase="/opt/webapps/secretweb">
        <!-- Link to the user database we will get roles and users from. -->
        <ResourceLink name="users" global="UserDatabase"
                      type="org.apache.catalina.UserDatabase"/>
    </Context>
 

Tomcat is now configured to use the realm UserDatabaseRealm. Next, you configure your webapp's web.xml file like this:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Top Secret Stuff</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>secretagent</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Top Secret Stuff</realm-name>
    </login-config>
    <security-role>
        <description>Roles that each qualify a user to authenticate.
        </description>
        <role-name>secretagent</role-name>
    </security-role>

This configuration specifies that any request destined for the webapp causes Tomcat to send a BASIC authentication challenge, which requires users to authenticate with a username and password. It also restricts access to users whose accounts have the “secretagent" role. You can grant users this role by configuring conf/tomcat-users.xml as follows:

<tomcat-users>
  <role rolename="secretagent"/>
  <user name="greg" password="007" roles="secretagent"/>
  <user name="ed" password="mycat" roles="secretagent"/>
  <user name="ken" password="mule" roles="secretagent"/>
</tomcat-users>

After you have finished configuring realms, resources, security, and users, restart Tomcat and try accessing the webapp. You should be prompted for a username and password.

For more information on how realms work and how to configure them, see http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html. For information on how the default configuration works, see the MemoryRealm page at http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#MemoryRealm.