JSP Hosting

HostingServicesSupportOrderAbout UsSoftwareHome

Even experts read the manuals. Our tech support staff has most of the books that are out on a wide variety of web topics. Here are some of their top picks. We think you'll find them useful and informative as well.


Tomcat role-based Password Protection

If your website is being served as a Tomcat context, the Apache .htaccess password protection will not work to prevent access to directories under the site. Instead, you will need to use Tomcat's built-in role-based security constraints. This requires editing two files:

  • The web.xml file of the web application.
  • The tomcat-users.xml file of your Tomcat instance.

The web.xml security-constraint definition

A simple web.xml file security constraint looks like the following:

<display-name>Example Security Constraint</display-name>
<web-resource-name>Protected Area</web-resource-name>
<realm-name>Protected Area</realm-name>
This code should be placed in your web.xml file after any servlet and servlet-mapping definitions. Placing it in the wrong location may cause Tomcat to not initialize the context due to syntax errors.

The tomcat-users.xml user definition

Users who should have access to the resources protected by the security-constraint should be defined in your tomcat-users.xml file. An example user definition for the resource defined above would look as follows:

<user name="protected_user" password="your_password" roles="protected_role" />

After adding security constraints or new users to your definitions, Tomcat must be restarted before the updates will take effect.

Additional features

Tomcat also offers form-based security constraints as well as role definitions stored in a database. For detailed explanations of these features, please see the Tomcat documentation at http://tomcat.apache.org.


Note: MMA technical support staff cannot provide troubleshooting of problems with third-party CGI scripts including but not limited to: Perl scripts, C/C++ binaries, PHP or web/database integration unless these services are specifically contracted. For these services, please see our Quote Request Form.

Copyright © 1995-2012
Motivational Marketing Associates, LLC
All Rights Reserved.