How do I use Basic authentication with Tomcat?
Author: Deron Eriksson
Description: This tutorial describes setting up Basic authentication on Tomcat.
Tutorial created using: Windows XP || JDK 1.5.0_09 || Eclipse Web Tools Platform 1.5.1 || Tomcat 5.5.20
(Continued from page 1)
When we try to hit the test servlet, we are greeted by a pop-up window asking for our name and password. I'll enter 'myname' and 'mypassword', which as we saw above, is a user in tomcat-users.xml that has the 'tomcat' role, which our web.xmlW file says can access the protected resource (ie, our test servlet).
As you can see, we were authenticated and given access to the resource that we requested in the browser. Notice the results at the very bottom of the browser window. I stripped off the 'Basic ' section of the authorization header, which left that string of seemingly random characters beginning with 'bXlu...' which I displayed to the screen. I then Base64-decoded that string, and look at what we're left with! We can see the user name and password that we entered in the browser pop-up window ('myname:mypassword')!
That sure was easy to figure out the name and password that I entered in the browser pop-up window, wasn't it? That 'bXlu...' string looks like our user name and password are protected, but they're not... The characters are just scrambled a little. This is why you should use SSL when you are doing your authentication.
In this tutorial, you have seen that Basic authentication is really easy to set up. You need a (1) username/password/role in tomcat-users.xml, (2) you need to specify the protected resources in web.xml and the roles that have access to those resources, and (3) you need to specify in web.xml that you'd like to use BASIC authentication. In addition, you have seen how Base64-encoding of usernames and passwords is really not very secure, so you have an understanding of why SSL is a VERY good idea when doing authentication.