Types of authentication that are supported

What we did on the previous page was to add a constraint, this means that the server knows what pages are to be secured, it does not however know how to secure those pages. There are many ways to authenticate with the server, we will only cover a small number of those here.

• Basic authenication - built into browser, not secure
• Form authenication - we provide pages, not secure
• Form authenication over SSL - we provide pages, secure

Basic authentication pops up a browser specific dialog to gather the users name and password, you’ve probably seen this dialog before as some sites use this for entering authentication details. It is not very secure, although the data is encypted it is not to the same standard as SSL. Below is an example dialog from firefox.

Adding basic authentication to tomcat

First lets try the easiest mode of security to setup - basic authentication. This will use the browsers own authentication dialog to request the user details. To set this up in tomcat is quite straightforward, and involves editing web.xml to add a login-configuration element as follows:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
		  http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
           version="2.5">

    <security-role>
        <role-name>manager</role-name>
    </security-role>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>management pages</web-resource-name>
            <url-pattern>/secure/*</url-pattern>
            <url-pattern>/mixed/secure3.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>manager</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>
</web-app>

But even now we will not be able to login, because we have not configured a user, as we have not yet set up a realm, right now we will use the default realm (user database), this realm can also be handy for development. If you are using tomcat, open tomcat-users.xml in the tomcat-home/conf directory and change to look like the example below.

<?xml version=’1.0’ encoding=’utf-8’?>
<tomcat-users>
  <role rolename="manager"/>
  <user username="test" password="changeme" roles="manager"/>
</tomcat-users>

Once tomcat is restarted you should be able to view the secure page using the credentials from the tomcat-users.xml file.