Tomcat role-based Password Protection
If your website is being served as a Tomcat context, the Apache .htaccess password protection will
not work to prevent access to directories under the site. Instead, you will need to use Tomcat's built-in
role-based security constraints. This requires editing two files:
- The web.xml file of the web application.
- The tomcat-users.xml file of your Tomcat instance.
The web.xml security-constraint definition
A simple web.xml file security constraint looks like the following:
This code should be placed in your web.xml file after any servlet and servlet-mapping
definitions. Placing it in the wrong location may cause Tomcat to not initialize the context
due to syntax errors.
<display-name>Example Security Constraint</display-name>
The tomcat-users.xml user definition
Users who should have access to the resources protected by the security-constraint should be
defined in your tomcat-users.xml file. An example user definition for the resource defined above
would look as follows:
<user name="protected_user" password="your_password" roles="protected_role" />
After adding security constraints or new users to your definitions, Tomcat must be restarted before the
updates will take effect.
Tomcat also offers form-based security constraints as well as role definitions stored in a database. For
detailed explanations of these features, please see the Tomcat documentation at http://tomcat.apache.org.
Note: MMA technical support staff cannot provide
troubleshooting of problems with third-party CGI scripts including but
not limited to: Perl scripts, C/C++ binaries, PHP or web/database integration
unless these services are specifically contracted. For these services,
please see our Quote Request Form.