I'm looking for a quick way to protect a Tomcat instance and all webapps running on it, so that accessing any page requires credentials (simple username/passwd).
I guess Realm is the "proper" way to do it, but that doesn't seem very simple to set up. We would prefer a way where you don't have to change the webapps themselves at all. Anyone know if there's a "quick and dirty" way to achive that?
A couple of ideas
(1) If you can modify the web.xml of your webapps, just put in a few lines into the web.xml to require basic authentication. The trick is to make sure that the user has been designated a role in the tomcat-users.xml that matches the role defined in the auth-constraint section of the web.xml:
web.xml:
<auth-constraint>
<role-name>protected</role-name>
</auth-constraint>
tomcat-users.xml:
<tomcat-users>
<user name="theuser" password="pas" roles="protected" />
</tomcat-users>
(2) If your Tomcat server has an APache httpd server in front of it, it's pretty easy to do this in Apache. In your configuration file, you'll just need to set up something like this:
<Location /webappname>
AuthType Basic
AuthName "Protected site"
AuthUserFile /etc/apache2/passwords
Require user theuser
</Location>
I'd put Apache in front of Tomcat and have that handle the Authentication
Here are some instructions on how to do that using mod_jk
http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html#s72
Once you have that set up you can use basic Apache Auth or the auth module of your choosing.
Quick and dirty (not recommended for Production) would be a MemoryRealm
MemoryRealm loads information about all users, and their corresponding roles, from $CATALINA_BASE/conf/tomcat-users.xml
Define the Realm within the server.xml inside <Engine> or <Host> and it will apply to all web apps.
