Categories
Application Gateway Applications Azure Security Security/Vulnerability

Add basic auth in Tomcat 8.5

Open tomcat-users.xml with the following command

sudo vim /usr/share/tomcat/conf/tomcat-users.xml

Enter the following content inside the <tomcat-users> </tomcat-users> tag

<role rolename="tomcat"/>
<user username="the-user-name" password="th3-p@$$w0rd" roles="tomcat"/>

Now open the web.xml file inside your application with the following command

sudo vim /usr/share/tomcat/webapps/ROOT/WEB-INF/web.xml

and enter the following content inside the <web-app> </web-app> tag

<security-constraint>
		<web-resource-collection>
			<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
			<url-pattern>/*</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>tomcat</role-name>
		</auth-constraint>

		<user-data-constraint>
			<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

	<login-config>
		<auth-method>BASIC</auth-method>
	</login-config>

Restart tomcat with the following command

sudo systemctl restart tomcat

The basic auth should now be set.

Additional info:

If you are using Azure application gateway and you are getting a 502 error, setup a health probe for that HTTP settings like the following screenshot