Jetty webserver security

One way to do this is by setting up basic authentication for your application. You should only do this if you use ssl, but then login without ssl is not secure anyway so I guess you have that already.

There is many ways to do this in Jetty, and this is only one of them.

First, you must define a realm where you define all users, passwords, roles etc. The default settings in Jetty already defines a realm called "Test Realm". The realm is defined in the file /etc/jetty-testrealm.xml. You may use this realm or create a new one. If you define a new, you may define it in the same file or in a separate file. If you create a separate file, remember to include that file in start.ini.

The /etc/jetty-testrealm.xml has a reference to /etc/realm.properties. This is where you create your users. If you want to just use the test-realm, remember to delete the default users that already is defined in realm.properties.

There are also other kind of realm implementations that use i.e. a database for user data.

Next, open the /etc/webdefault.xml file and add something like this at the bottom:

<security-constraint>
  <web-resource-collection>
    <url-pattern>/*</url-pattern>      <!--The url that should be protected -->
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>       <!--The required roles for accessing the url -->
    <role-name>user</role-name>
    <role-name>moderator</role-name>
  </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>BASIC</auth-method>     <!-- Use http basic authentication -->
  <realm-name>Test Realm</realm-name>  <!-- Users are defined in this realm -->
</login-config>

Author by

Dan

Updated on July 09, 2022