Can I use Basic HTTP Authentication using Apache+JServ?

Joshua Lynch

I recently did this with Apache and Tomcat. Using Basic HTTP Authentication is an Apache function, so this method should work with Apache and any servlet engine. Different web servers will, of course, work differently.

If you haven't already done so, read the Apache FAQ about authentication (section G) at apache.org, especially QA G.2. Also read the Apache Week article referenced there (http://www.apacheweek.com/issues/96-10-18#userauth). These resources will give you a good idea about how Apache can be configured to restrict access to URL's. Neither one explicitly tells you how to use authentication with servlets, so I'll spell it out here.

Use the <Location> directive to indicate to Apache that your specific servlet URL or servlet URL prefix (for multiple servlets) can be accessed only by authenticated users. The following template should be added to one of the Apache configuration files (such as http.conf) with appropriate substitutions for your system:

<Location /your/servlet/url >
   AuthName "your realm"
   AuthType Basic
   AuthUserFile /your/user/file
   require valid-user
This <Location> directive tells Apache to restrict access to the specified URL, so don't use the filesystem path to your servlet. Use the servlet's URL.

You will also need to create a user file with htpasswd. See the Apache Week article for details.