1

I am trying to enable basic HTTP auth on my tomcat application. Also I want to keep it outside the application. I added a new user to tomcat-users.xml and set its role to 'app-user'. Then I added a file $CATALINA_HOME/conf/Catalina/localhost/myapp.xml with the following content. But, tomcat is completely ignoring it. What am I doing wrong?

<Context path="/myapp">

<security-constraint>
    <web-resource-collection>
            <web-resource-name>
                  Wildcard means whole app requires authentication
            </web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
            <role-name>app-user</role-name>
    </auth-constraint>

    <user-data-constraint>
            <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
            <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
</Context>
Amit
  • 121
  • 1
  • 8

1 Answers1

1

The <security-constraint> tag belong to the web.xml of the application (typically in WEB-INF/web.xml in your war).

If you really want to keep it outside of your application, then you could add it to the file conf/web.xml, but keep in mind, it will then be applied to any other webapps in your tomcat.

Cédric Couralet
  • 272
  • 1
  • 7