![]() |
![]() |
||||
This is a short tutorial on securing sections of your website or web application, using the container managed security provided by Tomcat 5 and other servlet containers. We will lock down a /members and /admin folder, so that a password is required to gain access.
We will use:
The tutorial assumes:
We are going to protect two new folders on the site, so create the folders and put something useful in them.
Source Code: <Your Application Root>/admin/index.jsp
<h1>Administration Area - Access Granted</h1>
Source Code: <Your Application Root>/members/index.jsp
<h1>Welcome to the Members Area</h1>
We will also make a simple index.jsp page, which has links into each of these areas.
Source Code: <Your Application Root>/index.jsp
<h1>Welcome to my secured application!</h1> Please click a link below to log in. <p /><a href="/members/index.jsp">Members area</a> <br /><a href="/admin/index.jsp">Admin area</a>
Next, create a file called META-INF/context.xml in your web application, if it doesn't already exist.
Source Code: <Your Application Root>/META-INF/context.xml
<Context> <Realm className="org.apache.catalina.realm.MemoryRealm" pathname="[PATH-TO-YOUR-WEB-INF-FOLDER]/users.xml" /> </Context>
This simple example uses an xml file to define the users and roles. It is also possible to use a JDBCRealm or other realm types.
Change the pathname attribute to a suitable location as necessary. It makes sense to point to a file in your WEB-INF folder, so that you can find and edit the file easily in the future alongside web.xml.
Examples:
Windows: pathname="c:/tomcat5/jakarta/webapps/MyApp/WEB-INF/users.xml" Linux: pathname="/tomcat5/jakarta/webapps/MyApp/WEB-INF/users.xml"
Your application structure should look like this:
<webapps> /MyApp /WEB-INF web.xml users.xml - We will create this file in the next step /META-INF context.xml - The new file we just added /admin index.jsp - Main file for the /admin area /members index.jsp - Main file for the /members area index.jsp
Now create a file called WEB-INF/users.xml.
Source Code: <Your Application Root>/WEB-INF/users.xml
<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="admin"/> <role rolename="member"/> <user username="neale" password="mango" roles="admin"/> <user username="cassie" password="grape" roles="member"/> <user username="oliver" password="apple" roles="member"/> </tomcat-users>
This file defines:
Add as many roles or users as you want to. The roles attribute can contain a list of roles, separated by commas.
Example:
<user username="fred" password="orange" roles="wiki,bugtracker,repository,cms"/>
For the sake of this example, make sure you define an "admin" and "member" role as in the example provided above.
The final step is to define the security constraint in web.xml.
Edit your web.xml file, and add the following before the final <web-app> tag.
Source Code: Insert into <Your Application Root>/WEB-INF/web.xml
<!-- Define the roles we want to use in the application --> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>member</role-name> </security-role> <security-constraint> <display-name>Security constraint for the /member folder</display-name> <!-- Define the resource, a /members folder --> <web-resource-collection> <web-resource-name>Members Only</web-resource-name> <url-pattern>/members/*</url-pattern> </web-resource-collection> <!-- Only administrators and members can access this resource --> <auth-constraint> <role-name>admin</role-name> <role-name>member</role-name> </auth-constraint> </security-constraint> <security-constraint> <display-name>Security constraint for the /admin folder</display-name> <!-- Define the resource, a /admin folder --> <web-resource-collection> <web-resource-name>Administration</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <!-- Only administrators can access this resource --> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <!-- Use BASIC security --> <login-config> <auth-method>BASIC</auth-method> <realm-name>Secure Area</realm-name> </login-config>
Finally, restart your application.
If you followed the steps above, when you browse to either the /members or /admin folders, you will be asked to log in.
The name of the realm appears in the dialog. Here is a screenshot from Internet Explorer: