Tomcat security constraint for valid user

java tomcat web-applications security-constraint

13,149

Solution 1

Besides the auth-constraint you are adding to the security-constraint:

   <auth-constraint>
       <role-name>*</role-name>
   </auth-constraint>

you need specify the security role in the web-app:

    <security-role>
        <role-name>*</role-name>
    </security-role>

Solution 2

There are several realm implementation in tomcat - memory, database, JAAS and more. The easiest one to configure (though not the most secure) the memory one, which contains a single XML file, usually under conf/tomcat-users.xml:

<tomcat-users>
  <user name="tomcat" password="tomcat" roles="tomcat" />
  <user name="role1"  password="tomcat" roles="role1"  />
  <user name="both"   password="tomcat" roles="tomcat,role1" />
</tomcat-users>

The realm configuration is under the context, host or engine configurations, like this:

<Realm className="org.apache.catalina.realm.MemoryRealm"
       pathname="conf/tomcat-users.xml" />

Then, in the web.xml you put the following definition:

    <security-constraint>
            <web-resource-collection>
                    <web-resource-name>MRC Customer Care</web-resource-name>
                    <url-pattern>/protected/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                    <role-name>role1</role-name>
            </auth-constraint>
    </security-constraint>

    <!-- Define the Login Configuration for this Application -->
    <login-config>
            <auth-method>DIGEST</auth-method>
            <realm-name>YOUR REALM NAME</realm-name>
    </login-config>

    <security-role>
            <description>
              The role that is required to access the application. 
              Should be on from the realm (the tomcat-users.xml file).
            </description>
            <role-name>role1</role-name>                  
    </security-role>

The web.xml part is taken (with slight change) from one of our web apps.

13,149

Author by

Ricardo Marimon

Making usable and affordable software for small and medium enterprises. Say no to reports!!!

Updated on June 06, 2022

Comments

Ricardo Marimon almost 2 years

I'm trying to protect a resource in tomcat so that only "valid users" (those with a valid login and password in the realm) can access it. They do not necessarily belong to a group in the realm. I have tried with many combinations of the <security-constraint> directive without success. Any ideas?
Ricardo Marimon almost 14 years

I'm going to try this and report back.
André almost 14 years

Adding the security-role tag was the solution for us. Thanks.
cschooley over 10 years

Any way to actually add the constraint outside of the web.xml? E.g. add a constraint for all web apps in addition to the Realm/Valve in context.xml?
cschooley over 10 years

Answer to above is $CATALINA_BASE/conf/web.xml. See stackoverflow.com/questions/18242619/…