Configuring Basic Authentication#

Container-managed authentication methods control how a user's credentials are verified when a web app's protected resource is accessed. When a web application uses basic authentication (BASIC in the web.xml file's auth-method element), Tomcat uses HTTP basic authentication to ask the web browser for a username and password whenever the browser requests a resource of that protected web application. With this authentication method, all passwords are sent across the network in base64-encoded text.

Just add <security-constraint> and <login-config> elements to your web app's web.xml file, and add the appropriate <role> and <user> elements to the main /conf/tomcat-users.xml file, restart Tomcat, and Tomcat takes care of the rest. (contact support to add users to the /conf/tomcat-users.xml file and to organise a restart of tomcat)

The example below shows a web.xml excerpt from a private web site with a private subdirectory that is protected using basic authentication.

<!--
  Define the private area, by defining
  a "Security Constraint" on this Application, and
  mapping it to the subdirectory (URL) that we want
  to restrict.
 -->
<security-constraint>
  <web-resource-collection>
    <web-resource-name>
      Java Application
    </web-resource-name>
    <url-pattern>/members/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
      <role-name>member</role-name>
  </auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Private area Area</realm-name>
</login-config>

Back to JSP