How do I use Basic authentication and SSL with Tomcat?
Author: Deron Eriksson
Description: This tutorial describes the setup of Basic authentication and SSL with Tomcat.
Tutorial created using: Windows XP || JDK 1.5.0_09 || Eclipse Web Tools Platform 1.5.1 || Tomcat 5.5.20
(Continued from page 1)
Now let's fire up the demo web application in TomcatSW via EclipseSW and try to hit the test servletW via the non-secure HTTP port (8080). Tomcat tries redirecting the request from port 8080 to port 4321, our HTTPS connector. We receive the warning message about our SSL certificate, since it is self-signed and not verified by a certificate authority. This is fine.
If we click the 'Continue to this website...' link, we see the Basic authentication pop-up window that asks for our username and password. In the pop-up window message, you can see that this is coming from port 4321.
I entered 'myname'/'mypassword' (which has the 'tomcat' role in tomcat-users.xml). As a result, we get authenticated and we hit our test servlet. Notice that the url that we are redirected to is the secure url, https://localhost:4321/tomcat-demo/test. (You can ignore the 'Certificate Error' message, which is the result of using a self-signed certificate).
Once again, in the test servlet results, we can see that the servlet Base64-decodes the authorization string. Does this mean that the name and password are not secure since we were able to decode the string? Actually, no. This Base64-encoded string travelled within HTTPS, so it was actually Base64-encoded within the encrypted network communication packets. The communication was encrypted, and the server received the encrypted communication, unencrypted the communication, and then presented the test servlet with the unencrypted information, which it was able to use to Base64-decode the authorization string.
As you can see, after setting up SSL for Tomcat and Basic authentication for an application, it's quite easy to get them to work together. The main change that we needed to make as to change the transport-guarantee from NONE to CONFIDENTIAL. This redirected non-secure requests for protected resources to a secure port using HTTPS.