How to set up Basic HTTP Authorization in Tomcat 4

Alessandro A. Garbagnati

There are two required steps to activate Basic HTTP authentication in Tomcat.

The first one is Tomcat specific task. You need to define the type of Realm you wanna use. You can choose different type of realms: Memory, Database (DataSource or JDBS) and JNDI.
The easiest to set up is the Memory Realm, but if you need further information you can still refer to the Tomcat 4 Realm Configuration HOWTO documentation page.
For a Memory realm, you just need to insert in the <Engine...></Engine> tag of your server configuration file (conf/server.xml) this tag:

  <Realm className="org.apache.catalina.realm.MemoryRealm" />
Once you have done this, you should edit (or create) the conf/tomcat-users.xml file where you will place the name of all the users you wanna give access to, and their "role". A simple example could be this one:
<?xml version='1.0' encoding='utf-8'?>
  <role rolename="test"/>
  <user username="user" password="pass" roles="test"/>
This has created a role called "test", and a "user" that belongs to that role.
You can change the way you save your password (by default it's plain text) or the name and location of the file, through the attributes of the Realm tag, as described in the documentation page linked above.

The second step is the standard servlet way to set the authentication, siply adding to your web application descriptor (web.xml) some imformation like, for example:
        Protected Site 
      <!-- This would protect the entire site -->
      <url-pattern> /* </url-pattern>
      <!-- If you list http methods, 
            only those methods are protected -->
      <http-method> DELETE </http-method>
      <http-method> GET </http-method>
      <http-method> POST </http-method>
      <http-method> PUT </http-method>
      <!-- Roles that have access -->
      <role-name> test </role-name>
  <!-- BASIC authentication -->
    <auth-method> BASIC </auth-method>
    <realm-name> Example Basic Authentication </realm-name>

  <!-- Define security roles -->
    <description> Test role </description>
    <role-name> test </role-name>
That should be enough to start...