Basic authentication in Tomcat6 not working on directory

Question

I have following structure in my tomcat web directory

/webapps/ROOT.war
/webapps/ROOT/
/webapps/protect/

In the web.xml inside my ROOT.war java application I have configured basic authentication for some of the pages of the ROOT application which are working perfectly as expected.

But I need the same rules to be applied to the directory "protect" which is not part of that ROOT application. I added these rules to both web.xml inside of the ROOT application and to the web.xml file in /opt/tomcat/conf/ but the directory "protect" is still accessible without authentication. Any ideas?

This is the security configuration which is working for the ROOT paths, but not for the protect path:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Some paths need authentication</web-resource-name>
        <url-pattern>/rest/*</url-pattern>
        <url-pattern>/protect/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>authenticatedUser</role-name>
    </auth-constraint>

    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

Answer 1

Assuming that protect is another web application and not a directory of your web application ROOT, you can do it, but if you mean to use protect as a directory of ROOT, then you can't do that. Instead, you have to move that directory inside ROOT.

So, assuming that both are two different, but related web applications, the keypoint in your question is that you want to share the same security configuration for both web applications, and you want to do so from the web deployment descriptor of one of them.

I am afraid it's not possible, because the web deployment descriptor web.xml is designed to setup configuration of its current web application or Context.

Tomcat has several containers that allow you to group web applications. This containers are:

• Engine, is the high level container where all request are received. It contains several hosts.
• Host, is the container for all Context inside the same virtual host
• Context, the web application.

There is also a Cluster container, but it is not relevant here.

Due to you want to share a common security configuration, you have to create a Realm (see What is a Realm) at least at Host level, is to say, in the conf/server.xml globally or inside your Host of interest.

This will let you to share the same users and credentials source for all Context inside your Host. Then, you can configure each Context individually.

Even it is possible to configure Single Sign On (see Single Sign On at Host level) between all Context inside the same Host. I think this is what you really want. This way the user will feel like if both web application were only one.

Then, remove protect url pattern from ROOT context, because it has no sense, and configure it properly inside protect web.xml.

Hope it helps!

Answer 2

The url-pattern is relative to the root directory of the current webapp not the host application. So in the web.xml of "protect" you have to change the URL pattern to "/*".

If the web-resource-name is the same across all webapps the browsers should automatically resend the password to all webapps once the user has entered it.