Samples | DIGEST Authentication (Tomcat)
  1. The application structure
  2. Configure the file "tomcat-users.xml"
  3. Add and configure the file "web.xml"
  4. Add and configure the file "index.jsp"
  5. Test the DIGEST authentication
  1. The application structure 
    |+ ${TOMCAT_HOME}
   |+ webapps
      |+ auth
         |+ WEB-INF
            |+ web.xml
         |+ jsp
            |+ index.jsp
  2. Configure the file "tomcat-users.xml"
    You need to activate the users/roles that will be authorized to authenticate to the application.

    File location: ${TOMCAT_HOME}/conf/tomcat-users.xml

    Example:
    <role rolename="tomcat"/>

<user username="tomcat" password="tomcat" roles="tomcat"/>
  3. Add and configure the file "web.xml"
    You need to configure your application so it will handle DIGEST Authentication.

    File location: ${TOMCAT_HOME}/webapps/auth/WEB-INF/web.xml

    <?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
    version="4.0"
    metadata-complete="true">

    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Web Resource - Allow GET method</web-resource-name>

            <url-pattern>/jsp/*</url-pattern>

            <http-method>GET</http-method>
        </web-resource-collection>

        <auth-constraint>
            <role-name>tomcat</role-name>
        </auth-constraint>
    </security-constraint>

    <security-role>
        <role-name>tomcat</role-name>
    </security-role>

    <login-config>
        <auth-method>DIGEST</auth-method>
        <realm-name>UserDatabase</realm-name>
    </login-config>
</web-app>
  4. Add and configure the file "index.jsp"
    Here's a simple page that will show the connected user.

    File location: ${TOMCAT_HOME}/webapps/auth/jsp/index.jsp

    <html>
  <head>
    <title>Index Page</title>
  </head>

  <body>
User: <b><%= request.getRemoteUser() %>
  </body>
</html>
  5. Test the DIGEST authentication
    URL: http://localhost:8080/auth/jsp/

    tomcat-digest-authentication

    Here are the requests headers as it will be send by the browser, and the responses headers as it will be send back by Tomcat:

    • First, the browser will send these headers as part of the request: 
      GET /auth/jsp/ HTTP/1.1
Host: localhost:8080
...

    • Second, Tomcat will send back these headers as part of the response (401 Unauthorized): 
      HTTP/1.1 401
WWW-Authenticate: Digest realm="UserDatabase", qop="auth",
                  nonce="1477333786610:4694e697ce28d3fec1f84a34cb086ad4",
                  opaque="A61241EB4E820D515BBC0FC63C3B12D2"
...

    • When you fill your username/password and you click the "Log In" button, the browser will send these headers as part of the request: 
      GET /auth/jsp/ HTTP/1.1
Host: localhost:8080
Authorization: Digest username="tomcat", realm="UserDatabase", nonce="1477333786610:4694e697ce28d3fec1f84a34cb086ad4",
               uri="/auth/jsp/", response="f148822e4c467ad9827d3554526f7739", opaque="A61241EB4E820D515BBC0FC63C3B12D2",
               qop=auth, nc=00000001, cnonce="58960d3f673835e1"
...

    • Then Tomcat will send back these headers as part of the response (200 OK): 
      HTTP/1.1 200
Set-Cookie: JSESSIONID=09DA19AE05A9132A594F5B4D0E4ECC9E;path=/abc/;HttpOnly
...
© 2025  mtitek