While various techniques for user authentication exist (e.g. password-based, token-based, digital certificate-based, using biometrics, etc), often the concept of the Secure Socket Layer (SSL) comes into picture. While we will discuss SSL in great detail in a future article, the focus of this article is how to set it all up in the most commonly used Web server, Tomcat. In other words, most of us would know that SSL secures traffic between the Web browser and the Web server. How SSL achieves it is not the focus of this article. Rather, assuming that SSL does it somehow (to be discussed in a separate article), this time we will see how Tomcat can make use of SSL in real-life situations.

This article describes the steps needed in making user authentication secure in Tomcat. This assumes that Tomcat is installed under a directory named tomcat on the C drive of the computer.

Step 1: Edit tomcat-users.xml file

The basic premise for user authentication in Tomcat is the tomcat-users.xml file. This file can be located under our tomcat installation at the path c:\tomcat\conf. This file specifies the names of the users that can access the Web pages running on Tomcat, and the roles that they are mapped to. As a simple example, suppose that my user name is atul, and I have been assigned a role of manager. Then, the tomcat-users.xml file should have the following entries for me.

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>

</tomcat-users>

The significance of this would become clear shortly. For now, we will take this for granted.

Step 2: Create a Digital Certificate to be used for SSL enabling in Tomcat

To enable SSL on Tomcat, the basic requirement is to create a digital certificate. To put it very simplistically, a digital certificate binds a person or an organization to a unique public key, just as a passport binds a person to a unique passport number. For the purpose of creating a digital certificate in Tomcat, we need to use the free utility that ships with the JDK, called as Keytool. It can be invoked on the command prompt, as follows:

keytool –genkey –alias atul –keyalg RSA

This is informing the keyool utility that we want to create a keystore file, which encapsulates a digital certificate that can be used for SSL connectivity. Keytool asks for details such as name, organization, city, etc, which can be provided at the prompt. It would also ask a password for storing and later retrieving these details. We can provide a password of our choice, but need to remember it. A sample screen is shown below.

If everything is ok, this would have created a file with extension .keystore in the directory where the command prompt was invoked. This file internally contains the digital certificate that Tomcat would later use.

Step 3: Add the security-constraint element to the web.xml file

The next step needed is to create a security-constraint element in the web.xml file to indicate which resources need to be protected by using SSL. In other words, here we are saying that particular JSPs, servlets, etc demand that the user authenticate herself before attempting to access them. The web.xml file should have the following entries.

<security-constraint>

<web-resource-collection>

<web-resource-name>My JSP</web-resource-name>

<url-pattern>/Test.jsp</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>manager</role-name>

</auth-constraint>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

<login-config>

Here, we are saying that for a JSP page titled Test.jsp, we want confidential communication using SSL, and would like all GET or POST requests to be allowed only for the manager role (defined earlier in step 1).