• Home
  • LLMs
  • Docker
  • Kubernetes
  • Java
  • All
  • About
Samples | BASIC Authentication (Tomcat)
  1. The application structure
  2. Configure the file "tomcat-users.xml"
  3. Add and configure the file "web.xml"
  4. Add and configure the file "index.jsp"
  5. Test the BASIC authentication

  1. The application structure
    |+ ${TOMCAT_HOME}
       |+ webapps
          |+ auth
             |+ WEB-INF
                |+ web.xml
             |+ jsp
                |+ index.jsp
  2. Configure the file "tomcat-users.xml"
    You need to activate the users/roles that will be authorized to authenticate to the application.

    File location: ${TOMCAT_HOME}/conf/tomcat-users.xml

    Example:
    <role rolename="tomcat"/>
    
    <user username="tomcat" password="tomcat" roles="tomcat"/>
  3. Add and configure the file "web.xml"
    You need to configure your application so it will handle BASIC Authentication.

    File location: ${TOMCAT_HOME}/webapps/auth/WEB-INF/web.xml

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
        version="4.0"
        metadata-complete="true">
    
        <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
        </welcome-file-list>
    
        <security-constraint>
            <web-resource-collection>
                <web-resource-name>Web Resource - Allow GET method</web-resource-name>
    
                <url-pattern>/jsp/*</url-pattern>
    
                <http-method>GET</http-method>
            </web-resource-collection>
    
            <auth-constraint>
                <role-name>tomcat</role-name>
            </auth-constraint>
        </security-constraint>
    
        <security-role>
            <role-name>tomcat</role-name>
        </security-role>
    
        <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>UserDatabase</realm-name>
        </login-config>
    </web-app>
  4. Add and configure the file "index.jsp"
    Here's a simple page that will show the connected user.

    File location: ${TOMCAT_HOME}/webapps/auth/jsp/index.jsp

    <html>
      <head>
        <title>Index Page</title>
      </head>
    
      <body>
    User: <b><%= request.getRemoteUser() %>
      </body>
    </html>
  5. Test the BASIC authentication
    URL: http://localhost:8080/auth/jsp/

    tomcat-basic-authentication

    Here are the requests headers as it will be send by the browser, and the responses headers as it will be send back by Tomcat:

    • First, the browser will send these headers as part of the request:
      GET /auth/jsp/ HTTP/1.1
      Host: localhost:8080
      ...

    • Second, Tomcat will send back these headers as part of the response (401 Unauthorized):
      HTTP/1.1 401
      WWW-Authenticate: Basic realm="UserDatabase"
      ...

    • When you fill your username/password and you click the "Log In" button, the browser will send these headers as part of the request:
      GET /auth/jsp/ HTTP/1.1
      Host: localhost:8080
      Authorization: Basic dG9tY2F0OnRvbWNhdA==
      ...

    • Then Tomcat will send back these headers as part of the response (200 OK):
      HTTP/1.1 200
      Set-Cookie: JSESSIONID=A5A77952719D6CAB6C908C9010ED3F87;path=/abc/;HttpOnly
      ...

    Notes:
    You can decode the encoded values ent by the browser (Authorization: Basic dG9tY2F0OnRvbWNhdA==) by using the following Java code:
    byte[] decodedValue = Base64.getDecoder().decode("dG9tY2F0OnRvbWNhdA==");
    System.out.println(new String(decodedValue, "UTF-8"));

    Output: tomcat:tomcat

    You can also use the following web site: https://www.base64decode.org
© 2025  mtitek