I had a good lunch today with a friend who wanted to quickly set up simple (yet strong) authentication on a Tomcat web server using his own login page. Since forms authentication is built into all J2EE web servers (and ASP .NET servers, for that matter), it’s quite easy.
In summary, the steps for Tomcat are:
- Add security-constraints to WEB-INF/web.xml to specify protected resources / folders. Also include auth-constraints and security-roles for access.
- Create user and user role tables and configure the JDBC realm in server.xml. Or, simply start with defining users directly in tomcat-users.xml; you can always add the database later.
- Create the login and login error JSPs, pointing to them from the login-config section of web.xml. Remember to include the required form element names in the JSP (j_security_check, j_username, j_password, etc.). Also note that these pages can’t use style sheets and other external files, so you have to (redundantly) embed style information directly into the JSP.
By default, all traffic (including login passwords) isn’t encrypted, so this should only be used with SSL/TLS encryption in place. That means installing a digital certificate, which is also fairly easy. That is:
- Purchase an SSL certificate. For initial testing, you can create a self-signed cert using keytool, included with JSSE.
- Edit server.xml and enable the SSL (port 8443) connector. The commands are already present, just un-comment them.
- If the server is local, re-start Tomcat, open your browser, and access your site using the https://localhost:8443 URL. Look for the browser cues for a secure site: padlock icon, green or yellow address bar, etc.
You may eventually switch to more sophisticated methods, like integrating with external security systems for single sign on (e.g., using SAML). But the simple steps above will get you going quickly with basic, unbreakable authentication.