2

I want to make the default page of my Tomcat7 server private, i. e. accessible only after .htaccess password has been entered.

I mean this page:

Tomcat default page

For that purpose, I added:

<user username="admin" password="admin" roles="manager-gui"/>

to tomcat-users.xml.

Then I added:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Application</web-resource-name>
        <url-pattern>/references/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

<!-- Define the Login Configuration for this Application -->
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Application</realm-name>
</login-config>

<!-- Security roles referenced by this web application -->
<security-role>
    <description>
    The role that is required to log in to the Manager Application
    </description>
    <role-name>admin</role-name>
</security-role>

to webapps/ROOT/WEB-INF/web.xml.

But when I open the default page, htaccess dialog box still doesn't appear.

What am I doing wrong?

kenorb
  • 155,785
  • 88
  • 678
  • 743
Glory to Russia
  • 17,289
  • 56
  • 182
  • 325
  • See: [Specifying an Authentication Mechanism](http://docs.oracle.com/cd/E19226-01/820-7627/bncbn/index.html) – kenorb Apr 10 '15 at 12:46

1 Answers1

2

Look at your <url-pattern>, it is pointing to /references/* (which doesn't exist in the ROOT folder) The typical Tomcat setup the welcome page is in the root folder so the <url-pattern> should be pointing to /*.

Sean
  • 7,597
  • 1
  • 24
  • 26