Samples | BASIC Authentication (Tomcat)
  1. The application structure
  2. Configure the file "tomcat-users.xml"
  3. Add and configure the file "web.xml"
  4. Add and configure the file "index.jsp"
  5. Test the BASIC authentication
  1. The application structure 
    |+ ${TOMCAT_HOME}
   |+ webapps
      |+ auth
         |+ WEB-INF
            |+ web.xml
         |+ jsp
            |+ index.jsp
  2. Configure the file "tomcat-users.xml"
    You need to activate the users/roles that will be authorized to authenticate to the application.

    File location: ${TOMCAT_HOME}/conf/tomcat-users.xml

    Example:
    <role rolename="tomcat"/>

<user username="tomcat" password="tomcat" roles="tomcat"/>
  3. Add and configure the file "web.xml"
    You need to configure your application so it will handle BASIC Authentication.

    File location: ${TOMCAT_HOME}/webapps/auth/WEB-INF/web.xml

    <?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
    version="4.0"
    metadata-complete="true">

    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Web Resource - Allow GET method</web-resource-name>

            <url-pattern>/jsp/*</url-pattern>

            <http-method>GET</http-method>
        </web-resource-collection>

        <auth-constraint>
            <role-name>tomcat</role-name>
        </auth-constraint>
    </security-constraint>

    <security-role>
        <role-name>tomcat</role-name>
    </security-role>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>UserDatabase</realm-name>
    </login-config>
</web-app>
  4. Add and configure the file "index.jsp"
    Here's a simple page that will show the connected user.

    File location: ${TOMCAT_HOME}/webapps/auth/jsp/index.jsp

    <html>
  <head>
    <title>Index Page</title>
  </head>

  <body>
User: <b><%= request.getRemoteUser() %>
  </body>
</html>
  5. Test the BASIC authentication
    URL: http://localhost:8080/auth/jsp/

    tomcat-basic-authentication

    Here are the requests headers as it will be send by the browser, and the responses headers as it will be send back by Tomcat:

    • First, the browser will send these headers as part of the request: 
      GET /auth/jsp/ HTTP/1.1
Host: localhost:8080
...

    • Second, Tomcat will send back these headers as part of the response (401 Unauthorized): 
      HTTP/1.1 401
WWW-Authenticate: Basic realm="UserDatabase"
...

    • When you fill your username/password and you click the "Log In" button, the browser will send these headers as part of the request: 
      GET /auth/jsp/ HTTP/1.1
Host: localhost:8080
Authorization: Basic dG9tY2F0OnRvbWNhdA==
...

    • Then Tomcat will send back these headers as part of the response (200 OK): 
      HTTP/1.1 200
Set-Cookie: JSESSIONID=A5A77952719D6CAB6C908C9010ED3F87;path=/abc/;HttpOnly
...

    Notes:
    You can decode the encoded values ent by the browser (Authorization: Basic dG9tY2F0OnRvbWNhdA==) by using the following Java code: 
    byte[] decodedValue = Base64.getDecoder().decode("dG9tY2F0OnRvbWNhdA==");
System.out.println(new String(decodedValue, "UTF-8"));

    Output: tomcat:tomcat

    You can also use the following web site: https://www.base64decode.org
© 2025  mtitek