Tomcat UserDatabase Realm Security example
Authentication can be controlled by application level, or by the container level (for example tomcat or jboss) that the application runs in. In this tutorial we are going to explain the example with using the tomcat container.
In the tomcat's container the application security managed by based on the realm configured.
In this tutorial you can learn that, how to set up the UserDatabase realm (Which is default active realm in tomcat configuration), and how to define the security details in web.xml file.
Object : The main objective of the tutorial is that, using the tomcat container set UserDatabase realm for access the secure resources.
Scope : In order to achieve the objective mentioned above, we are going to develop a web application with using eclipse and set the security access details in web.xml file for access the secure resources with using UserDatabase realm.
Requirements :
- Eclipse Java IEE IDE
- JDK 1.6
- Apache Tomcat - 6.0.26
Step 1 : First we have to set the tomcat users and roles for access the secure resources. In order to achieve that add the following specific roles and user credentials to "tomcat-users.xml" file. You have to specify the same username and password for when access the secure resources.
1
2
3
4
5
6
| <tomcat-users>
<role rolename="VIP"/>
<role rolename="ADMIN"/>
<user username="vip" password="vip123" roles="VIP"/>
<user username="admin" password="admin123" roles="ADMIN"/>
</tomcat-users>
|
In the above file we specified two roles VIP, ADMIN and their credential details. If user have the VIP privileges they have to specify the username and password are respectively 'vip' and 'vip123'.
If the user have the ADMIN privileges then the username and password are respectively 'admin' and 'admin123'.
Step 2 : Create a Dynamic web project with using the Eclipse and Name it as "UserDataBaseAuthentication". The path of create the dynamic web project as below.
File > New > Dynamic Web Project
Step 3 : Create a "index.jsp" file under the WebContent folder. The index file have link to access the secure jsp file name it as "confidential.jsp"
/UserDataBaseAuthentication/WebContent/index.jsp
1
2
3
4
5
6
7
8
9
10
11
12
| <%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>findanidea.blogspot.com</title>
</head>
<body>
<h1>Hello World!</h1>
<a href="confidential/confidential.jsp">Access the connfidential page.</a>
</body>
</html>
|
Step 4 : Create a "confidential.jsp" file under the WebContent\confidential folder. The file have "This is Confidential resource." message.
Step 5 : Now the time to configure the security elements to "web.xml". For the authentication process we are going to add the <security-role>,<login-config> and <security-constraint> tags to web.xml file.
/UserDataBaseAuthentication/WebContent/WEB-INF/web.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| <security-role>
<role-name>VIP</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>CONFITEST</web-resource-name>
<http-method>POST</http-method>
<http-method>GET</http-method>
<url-pattern>/confidential/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>VIP</role-name>
</auth-constraint>
<user-data-constraint>
<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
|
In this example we define the role name as VIP only have the access the resources inside the folder 'confidential'. In addition to that the secure resources can be access via GET and POST http methods only.
There are four type of authentication types available such as BASIC, FORM, DIGEST and CLIENT-CERT. In this example we used BASIC authentication type.
We can specify three type of transport guarantee parameters such as NONE, CONFIDENTIAL and INTEGRAL in the line number 21.
Step 6 : When you run the "UserDataBaseAuthentication" project, the "index.jsp" file will display in browser. When try to access the "confidential.jsp" via click the link, the browser prompt will ask the username and password details for authenticate before access the resource. If VIP privilege user enter the correct username and password then the user able to access the confidential page. Otherwise they will get error message.