[Demo] Basic and Digest Authentication using Apache Tomcat server Part 1 - Trying it out

We have seen enough theory on Authentication and Authorization. Now we will actually get our hands dirty trying it out for basic and digest authentication.

Steps to configure basic/digest authentication can be summarized as:

  1. Define the type of authentication (here BASIC/DIGEST)

  2. Define roles, users and create mapping between them

  3. Define resource collections to which security should be applied

  4. Map roles with security constraints


Initial setup

Before configuring security, we will create the basic setup needed along with two servlets and a JSP to test the application.


Define the type of authentication

We can specify the type of authentication we want using the <auth-method> element inside the <login-config> element, which is inside the <web-app> element.



  <realm-name>Restricted Access</realm-name>



Define users and roles

Assigning users to roles are specific to Java EE servers:

  • Apache Tomcat server, by default, support XML configuration files to store user and role mappings and also JDBC realm (looking credentials from a database).

  • Users can be configured in tomcat in the file tomcat-users.xml under the directory <TOMCAT-INSTALL-DIR>/conf.

Create two new roles and then two users belonging to those roles in the file tomcat-users.xml:

<role rolename="administrator"/>

<role rolename="user"/>

<user username="admin" password="tomcat" roles="administrator"/>

<user username="user1" password="tomcat" roles="user"/>


We should also specify the roles we want to use in the application in the <role-name> element inside the <security-role> element, which is inside the <web-app> element.

You may have only one <role-name> element inside the <security-role> element, but you may have any number of <security-role> elements.

We can define two roles we need as:







Without this if you use the role you will get an error in log that used in an <auth-constraint> without being defined in a <security-role>.


Define resource collections to which security should be applied

Authorization and confidentiality requirements for a specified collection of web resources can be specified using the <security-constraint> element.








Map roles with security constraints

We can map security constraints with user roles using the <auth-constraint> sub element of <security-constraint> element.

Place this also inside the <security-constraint> element:





Complete security constraint element will now look as:











Deploying and executing the application

Export the project as a war and deploy the application into the tomcat and run the servlet and JSP urls:

Client browser will show a pop-up as:

If you give the user and password for a role with required permission (e.g. admin/tomcat) as defined in the tomcat-users.xml file, you will be allowed to access the servlet and you can see the text.

If you enter a valid user, but from a role which does not have permission (e.g. user1/tomcat), you will get “HTTP Status 403 – Access to the requested resource has been denied” response.

If you cancel the password prompt, you will get HTTP Status 401 with a description that this request requires authentication.

Important Notes and TODOs!

  1. The url-pattern /* indicates that the whole application requires authentication.

    1. TODO: Change the pattern to “/RestrictedServlet” and now only RestrictedServlet will be having security constraint, not OpenServlet or SimpleJSP.jsp.

  2. Since we have not specified any <http-method> tag inside <web-resource-collection>, this constraint will be applicable for any HTTP Methods.

    1. If we mention <http-method>GET</http-method> and <http-method>POST</http-method>, then this constraint will be applicable to only GET and POST.

  3. <role-name>*</role-name> denote all authenticated users belonging to all roles in the application

    1. TODO: Change the web.xml to allow all authenticated users to access the OpenServlet.

  4. Omitting all <role-name> elements will grant access to all users irrespective of whether they are authenticated or not.

    1. TODO: Change the web.xml to allow anyone to access the SimpleJSP


Confidentiality and data integrity are configured using <transport-guarantee> sub element of <user-data-constraint> element, which is a sub element of the <security-constraint> element. Default is NONE, which is equivalent to having the below code in the <security-contraint> element:




We will see <transport-guarantee> in detail in another demo.


Digest Authentication

Just change the value of <auth-method> element inside the <login-config> element from BASIC to DIGEST. Everything else is same for both BASIC and DIGEST authentication.

There will be no difference from outside, but change will be in the way password is actually sent in the response.


We will next see how password is actually transmitted in case of BASIC and DIGEST.


Quick Notes Finder Tags

Activities (1) advanced java (1) agile (3) App Servers (6) archived notes (2) Arrays (1) Best Practices (12) Best Practices (Design) (3) Best Practices (Java) (7) Best Practices (Java EE) (1) BigData (3) Chars & Encodings (6) coding problems (2) Collections (15) contests (3) Core Java (All) (55) course plan (2) Database (12) Design patterns (8) dev tools (3) downloads (2) eclipse (9) Essentials (1) examples (14) Exception (1) Exceptions (4) Exercise (1) exercises (6) Getting Started (18) Groovy (2) hadoop (4) hibernate (77) hibernate interview questions (6) History (1) Hot book (5) http monitoring (2) Inheritance (4) intellij (1) java 8 notes (4) Java 9 (1) Java Concepts (7) Java Core (9) java ee exercises (1) java ee interview questions (2) Java Elements (16) Java Environment (1) Java Features (4) java interview points (4) java interview questions (4) javajee initiatives (1) javajee thoughts (3) Java Performance (6) Java Programmer 1 (11) Java Programmer 2 (7) Javascript Frameworks (1) Java SE Professional (1) JPA 1 - Module (6) JPA 1 - Modules (1) JSP (1) Legacy Java (1) linked list (3) maven (1) Multithreading (16) NFR (1) No SQL (1) Object Oriented (9) OCPJP (4) OCPWCD (1) OOAD (3) Operators (4) Overloading (2) Overriding (2) Overviews (1) policies (1) programming (1) Quartz Scheduler (1) Quizzes (17) RabbitMQ (1) references (2) restful web service (3) Searching (1) security (10) Servlets (8) Servlets and JSP (31) Site Usage Guidelines (1) Sorting (1) source code management (1) spring (4) spring boot (3) Spring Examples (1) Spring Features (1) spring jpa (1) Stack (1) Streams & IO (3) Strings (11) SW Developer Tools (2) testing (1) troubleshooting (1) user interface (1) vxml (8) web services (1) Web Technologies (1) Web Technology Books (1) youtube (1)