Sunday, April 17, 2011

How to use htpasswd file in Tomcat 6

I have already created a user database file using Apache's htpasswd command. This file is now used by several other application like apache and subversion.

Users in are created like this:

htpasswd /path/to/users.htpasswd peter

This user file is global, not per directory.

How I can make Tomcat 6 use this same file as a security realm?

From stackoverflow
  • There are two options:

    1. Use Apache as a front end to the tomcat (using either mod_jk or mod_proxy_ajp) and the Apache do the authentication. You can find details on how to do so here

    2. If you want the tomcat to do the authentication, then you need ot use something else than the htpasswd file. There are 4 ways to save the users' credentials - using database, JNDI/LDAP, an XML file or a JAAS provider. You can read about all the options in the Realm Configuration HOW-TO.

  • You could also create a custom authentication realm for tomcat, that knows how to read htpasswd file. I just wonder why somebody hasn't already done that. At least I couldn't find anything with google...

  • Most similar to the htpasswd may be the MemoryRealm. I had problems myself to find a simple example how to use it, so I'll post an easy example code here:

    1. Set up a role, username and password in tomcat-users.xml

    2. Your web.xml should contain something like:

         <security-constraint>
           <web-resource-collection>
            <web-resource-name> 
              My Protected WebSite 
            </web-resource-name>
            <url-pattern> /* </url-pattern>
            <http-method> GET </http-method>
            <http-method> POST </http-method>
          </web-resource-collection>
          <auth-constraint>
          <!-- the same like in your tomcat-users.conf file -->
            <role-name> test </role-name>
          </auth-constraint>
        </security-constraint>
         <login-config>
          <auth-method> BASIC </auth-method>
          <realm-name>  Basic Authentication </realm-name>
        </login-config>
        <security-role>
          <description> Test role </description>
          <role-name> test </role-name>
        </security-role>
      
    3. Add this to your server.xml file:

      <Realm className="org.apache.catalina.realm.MemoryRealm"></Realm>
      

0 comments:

Post a Comment