8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux
Home » Articles » Linux » Here
Apache Tomcat : Basic and Digest Authentication
This article describes how to set up basic and digest authentication on Tomcat 8 and above.
Related articles.
Setup
We need a simple test to work with. We create a simple file.
mkdir -p $CATALINA_BASE/webapps/ROOT echo "OK" > $CATALINA_BASE/webapps/ROOT/check.txt
We can test the URL using the curl
command.
$ curl -k https://localhost:8443/check.txt OK $
Basic Authentication
The "$CATALINA_BASE/conf/server.xml" file needs no changes.
The "$CATALINA_BASE/conf/web.xml" file needs the following entry before the final </web-app>
tag. In this example we use "/*" as the url-pattern
attribute, which means all URLs will be protected. Alter the pattern to limit the protected URLs.
<security-constraint> <web-resource-collection> <web-resource-name>test</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>*</role-name> </security-role>
The "$CATALINA_BASE/conf/tomcat-users.xml" file needs entries for users and roles. Notice it uses a plain text password.
<role rolename="emp_role"/> <user username="emp_user" password="Password1" roles="emp_role"/>
Restart Tomcat.
$CATALINA_HOME/bin/shutdown.sh $CATALINA_HOME/bin/startup.sh
The URLs are now protected with specified username and password. we use the --user
flag to pass the credentials.
$ curl -i -k https://localhost:8443/check.txt | grep HTTP/2 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 669 100 669 0 0 16725 0 --:--:-- --:--:-- --:--:-- 16725 HTTP/2 401 $ $ curl -k --user emp_user:Password1 https://localhost:8443/check.txt OK $
Digest Authentication
Digest the password.
$CATALINA_HOME/bin/digest.sh -a md5 -i 1 -s 0 -h org.apache.catalina.realm.MessageDigestCredentialHandler Password1 Password1:2ac9cb7dc02b3c0083eb70898e549b63 $
Amend the "$CATALINA_BASE/conf/tomcat-users.xml" file, replacing the plain text password with the digested password.
<role rolename="emp_role"/> <user username="emp_user" password="2ac9cb7dc02b3c0083eb70898e549b63" roles="emp_role"/>
Amend the "$CATALINA_BASE/conf/server.xml" file, adding a credential handler to the realm.
From this: <Realm className="org.apache.catalina.realm.LockOutRealm"> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> To this: <Realm className="org.apache.catalina.realm.LockOutRealm"> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="md5" iterations="1" saltlenght="0"/> </Realm> </Realm>
Amend the "$CATALINA_BASE/conf/web.xml" file, changing the security-constraint
we added previously, setting the auth-method
to DIGEST
.
<security-constraint> <web-resource-collection> <web-resource-name>test</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>DIGEST</auth-method> </login-config> <security-role> <role-name>*</role-name> </security-role>
Restart Tomcat.
$CATALINA_HOME/bin/shutdown.sh $CATALINA_HOME/bin/startup.sh
The URLs are now protected with specified username and digested password. We use the --digest
flag to indicate we are using digest authentication.
$ curl -k --digest --user emp_user:Password1 https://localhost:8443/check.txt OK $
For more information see:
- Realm Configuration How-To
- Oracle REST Data Services (ORDS) : Basic and Digest Authentication on Tomcat using DataSourceRealm
Hope this helps. Regards Tim...