Container-managed authentication methods control how a user’s credentials are verified when a web app’s protected resource is accessed. When a web application uses basic authentication (BASIC in the web.xml file’s auth-method element), Tomcat uses HTTP basic authentication to ask the web browser for a username and password whenever the browser requests a resource of that protected web application. With this authentication method, all passwords are sent across the network in base64-encoded text.
Note: using basic authentication is generally considered insecure because it does not strongly encrypt passwords, unless the site also uses HTTPS or some other form of encryption between the client and the server (for instance, a virtual private network). But, if you’re just starting to use Tomcat, or if you just want to test container-managed security with your web app, basic authentication is easy to set up and test. Just add <security-constraint> and <login-config> elements to your web app’s web.xml file, and add the appropriate <role> and <user> elements to your CATALINA_BASE/conf/tomcat-users.xml file, restart Tomcat, and Tomcat takes care of the rest.
The example below shows a web.xml excerpt from a club membership web site with a members-only subdirectory that is protected using basic authentication. Note that this effectively takes the place of the Apache web server’s .htaccess files.
For app based Basic authentication you have to edit the web.xml in //webapps/Your-app/WEB-INF/web.xml
For ROOT basic auth CATILINA_HOME/conf/web.xml
web.xml security tags looks like this
<security-constraint> <web-resource-collection> <web-resource-name> Subdir test </web-resource-name> <url-pattern> /* </url-pattern> <http-method> GET </http-method> <http-method> POST </http-method> </web-resource-collection> <auth-constraint> <!-- the same like in your tomcat-users.conf file --> <role-name> manager </role-name> </auth-constraint> </security-constraint> <login-config> <auth-method> BASIC </auth-method> <realm-name> iTest Web app resources</realm-name> </login-config> <security-role> <description> </description> <role-name> manager </role-name> </security-role>
tomcat-users.xml uncomment or add new tag for user credentials
<role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> <user username="anand" password="password" roles="manager"/>