8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » Linux » Here

Apache Tomcat : Basic and Digest Authentication

This article describes how to set up basic and digest authentication on Tomcat 8 and above.

Related articles.

Setup

We need a simple test to work with. We create a simple file.

mkdir -p $CATALINA_BASE/webapps/ROOT
echo "OK" > $CATALINA_BASE/webapps/ROOT/check.txt

We can test the URL using the curl command.

$ curl -k https://localhost:8443/check.txt
OK
$

Basic Authentication

The "$CATALINA_BASE/conf/server.xml" file needs no changes.

The "$CATALINA_BASE/conf/web.xml" file needs the following entry before the final </web-app> tag. In this example we use "/*" as the url-pattern attribute, which means all URLs will be protected. Alter the pattern to limit the protected URLs.

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>test</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>*</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>
    <security-role>
       <role-name>*</role-name>
    </security-role>

The "$CATALINA_BASE/conf/tomcat-users.xml" file needs entries for users and roles. Notice it uses a plain text password.

  <role rolename="emp_role"/>
  <user username="emp_user" password="Password1" roles="emp_role"/>

Restart Tomcat.

$CATALINA_HOME/bin/shutdown.sh
$CATALINA_HOME/bin/startup.sh

The URLs are now protected with specified username and password. we use the --user flag to pass the credentials.

$ curl -i -k https://localhost:8443/check.txt | grep HTTP/2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   669  100   669    0     0  16725      0 --:--:-- --:--:-- --:--:-- 16725
HTTP/2 401
$


$ curl -k --user emp_user:Password1 https://localhost:8443/check.txt
OK
$

Digest Authentication

Digest the password.

$CATALINA_HOME/bin/digest.sh -a md5 -i 1 -s 0 -h org.apache.catalina.realm.MessageDigestCredentialHandler Password1 
Password1:2ac9cb7dc02b3c0083eb70898e549b63
$

Amend the "$CATALINA_BASE/conf/tomcat-users.xml" file, replacing the plain text password with the digested password.

  <role rolename="emp_role"/>
  <user username="emp_user" password="2ac9cb7dc02b3c0083eb70898e549b63" roles="emp_role"/>

Amend the "$CATALINA_BASE/conf/server.xml" file, adding a credential handler to the realm.

From this:

      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
                          resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

To this:

      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
                          resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase">
                 <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler"
                                       algorithm="md5"
                                       iterations="1"
                                       saltlenght="0"/>
        </Realm>
      </Realm>

Amend the "$CATALINA_BASE/conf/web.xml" file, changing the security-constraint we added previously, setting the auth-method to DIGEST.

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>test</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>*</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>DIGEST</auth-method>
    </login-config>
    <security-role>
       <role-name>*</role-name>
    </security-role>

Restart Tomcat.

$CATALINA_HOME/bin/shutdown.sh
$CATALINA_HOME/bin/startup.sh

The URLs are now protected with specified username and digested password. We use the --digest flag to indicate we are using digest authentication.

$ curl -k --digest --user emp_user:Password1 https://localhost:8443/check.txt
OK
$

For more information see:

Hope this helps. Regards Tim...

Back to the Top.