|
Configure Tomcat for Secure Web Apps
Use Tomcat's deployment descriptor to secure your Web applications without writing a single line of code
by Budi Kurniawan
June 2002 Issue
Typically, a Java Web application developer restricts access to part of an application by prompting users to authenticate themselves with a user name and password that will be compared against data in a database or other storage. Although this can be effective, there's an easier method of securing applications—one that doesn't require you to write a single line of code. You can configure the Tomcat deployment descriptor of the Web application you want to secure, using the security-constraint and login-config elements. This article applies to Tomcat version 4.0.
Imposing Security Constraint
By configuring the deployment descriptor, you can restrict access to some resources in an application in several ways. For example, you can require the user to log in to view a particular resource. (The browser can display its login dialog automatically, or you can use your own login dialog.) You can also restrict access to a resource if the request is sent using a particular HTTP method. For instance, you can mandate that a resource is viewable as long as the user requests it using the POST method.
You can also choose which resources to protect by drafting a URL pattern. If the HTTP request's URL matches that pattern, access to the resource is restricted; that is, the user will be required to log in. For instance, if the URL pattern you give is /servlet/FirstServlet, the Web container will restrict any request whose URL (such as http://domain/myApp/servlet/FirstServlet) contains such a pattern. You can use the wild card * to represent any set of characters. For instance, the URL pattern /servlet/* will restrict access to any URL that contains /servlet/, such as http://domain/myApp/servlet/Testing or http://domain/myApp/servlet/Filter.
Back to top
|