tomcatweb.xmlhttp-authentication

How do I provide basic http authentication for static Tomcat webapps without changing tomcat-users.xml?


I have access to the Tomcat manager and can upload war-files. One of these wars is a static web project (zipped html + media files, renamed to *.war). I want add a Web-INF/web.xml file to this war to protect the content with basic http auth.

I know how to do this by adding global users and assigning roles in the tomcat-users.xml, but I want to have all usernames and passwords defined in my war-file.

  1. Can this be done without touching the Tomcat's tomcat-users.xml?
  2. And if yes, how do I specify this in my static project's web.xml?

Solution

  • I found a solution here: http://wiki.metawerx.net/wiki/SecuringYourSiteWithContainerManagedSecurity

    The page describes how to define your own META-INF/context.xml pointing to your own WEB-INF/users.xml. Unfortunately, the link to the users.xml file has to be absolute, and I do not want to make any assumptions on the OS/filesystem paths in my config files.

    Here is my current WEB-INF/web.xml:

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <web-app
        xmlns="http://java.sun.com/xml/ns/j2ee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd"
        version="2.5">
    
        <display-name>SuperCoolTool</display-name>
        <description>What an awesome app!</description>
    
        <security-role>
            <role-name>manager</role-name>
        </security-role>
        <security-role>
            <role-name>keyuser</role-name>
        </security-role>
    
        <security-constraint>
            <web-resource-collection>
                <web-resource-name>
                    Entire Application
                </web-resource-name>
                <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                <role-name>keyuser</role-name>
                <role-name>manager</role-name>
            </auth-constraint>
        </security-constraint>
    
        <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>Evaluation Area</realm-name>
        </login-config>
    
    </web-app> 
    

    An matching META-INF/context.xml would look like this:

    <?xml version="1.0" encoding="UTF-8"?>
    <Context>
        <Realm className="org.apache.catalina.realm.MemoryRealm"
               pathname="[PATH-TO-YOUR-WEBAPP]/WEB-INF/users.xml"/>
    </Context>