• Home
  • LLMs
  • Docker
  • Kubernetes
  • Java
  • All
  • About
Samples | DIGEST Authentication (Tomcat)
  1. The application structure
  2. Configure the file "tomcat-users.xml"
  3. Add and configure the file "web.xml"
  4. Add and configure the file "index.jsp"
  5. Test the DIGEST authentication

  1. The application structure
    |+ ${TOMCAT_HOME}
       |+ webapps
          |+ auth
             |+ WEB-INF
                |+ web.xml
             |+ jsp
                |+ index.jsp
  2. Configure the file "tomcat-users.xml"
    You need to activate the users/roles that will be authorized to authenticate to the application.

    File location: ${TOMCAT_HOME}/conf/tomcat-users.xml

    Example:
    <role rolename="tomcat"/>
    
    <user username="tomcat" password="tomcat" roles="tomcat"/>
  3. Add and configure the file "web.xml"
    You need to configure your application so it will handle DIGEST Authentication.

    File location: ${TOMCAT_HOME}/webapps/auth/WEB-INF/web.xml

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
        version="4.0"
        metadata-complete="true">
    
        <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
        </welcome-file-list>
    
        <security-constraint>
            <web-resource-collection>
                <web-resource-name>Web Resource - Allow GET method</web-resource-name>
    
                <url-pattern>/jsp/*</url-pattern>
    
                <http-method>GET</http-method>
            </web-resource-collection>
    
            <auth-constraint>
                <role-name>tomcat</role-name>
            </auth-constraint>
        </security-constraint>
    
        <security-role>
            <role-name>tomcat</role-name>
        </security-role>
    
        <login-config>
            <auth-method>DIGEST</auth-method>
            <realm-name>UserDatabase</realm-name>
        </login-config>
    </web-app>
  4. Add and configure the file "index.jsp"
    Here's a simple page that will show the connected user.

    File location: ${TOMCAT_HOME}/webapps/auth/jsp/index.jsp

    <html>
      <head>
        <title>Index Page</title>
      </head>
    
      <body>
    User: <b><%= request.getRemoteUser() %>
      </body>
    </html>
  5. Test the DIGEST authentication
    URL: http://localhost:8080/auth/jsp/

    tomcat-digest-authentication

    Here are the requests headers as it will be send by the browser, and the responses headers as it will be send back by Tomcat:

    • First, the browser will send these headers as part of the request:
      GET /auth/jsp/ HTTP/1.1
      Host: localhost:8080
      ...

    • Second, Tomcat will send back these headers as part of the response (401 Unauthorized):
      HTTP/1.1 401
      WWW-Authenticate: Digest realm="UserDatabase", qop="auth",
                        nonce="1477333786610:4694e697ce28d3fec1f84a34cb086ad4",
                        opaque="A61241EB4E820D515BBC0FC63C3B12D2"
      ...

    • When you fill your username/password and you click the "Log In" button, the browser will send these headers as part of the request:
      GET /auth/jsp/ HTTP/1.1
      Host: localhost:8080
      Authorization: Digest username="tomcat", realm="UserDatabase", nonce="1477333786610:4694e697ce28d3fec1f84a34cb086ad4",
                     uri="/auth/jsp/", response="f148822e4c467ad9827d3554526f7739", opaque="A61241EB4E820D515BBC0FC63C3B12D2",
                     qop=auth, nc=00000001, cnonce="58960d3f673835e1"
      ...

    • Then Tomcat will send back these headers as part of the response (200 OK):
      HTTP/1.1 200
      Set-Cookie: JSESSIONID=09DA19AE05A9132A594F5B4D0E4ECC9E;path=/abc/;HttpOnly
      ...
© 2025  mtitek