Recipe 15.1 Creating Users and Passwords with Tomcat

Problem

You want to create usernames and passwords for authenticating requests for certain web components.

Solution

Add the usernames, passwords, and roles to the tomcat-users.xml file.

Discussion

A very easy method of authenticating users with Tomcat involves creating usernames, passwords, and roles in the tomcat-users.xml file. This file is stored in <Tomcat-installation-directory>/conf.

Everyone is familiar with usernames and passwords, but what are roles? Roles are logical ways to describe groups of users who have similar responsibilities, such as manager or databaseAdmin. Example 15-1 shows a tomcat-users.xml file that creates two roles and two users with two aptly named XML elements: role and user.

Example 15-1. The tomcat-users XML file

<?xml version='1.0' encoding='utf-8'?>

<tomcat-users>
  <role rolename="dbadmin"/>
  <role rolename="manager"/>
  <user username="BruceP" password="bwperry" roles="dbadmin,manager"/>
  <user username="JillH" password="jhayward" roles="manager"/>
</tomcat-users>

In Example 15-1, the user BruceP is associated with two roles (dbadmin and manager), while user JillH is associated only with the manager role. Tomcat uses this file when authenticating users with BASIC and form-based authentication, as described in Recipe 15.3 and Recipe 15.4.

See Also

The Tomcat documentation and Recipe 15.2 on setting up SSL for use with authentication: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html; Recipe 3.9 on restricting requests for certain servlets; Recipe 15.3 on using BASIC authentication; Recipe 15.4 on using form-based authentication; Recipe 15.5 on logging out a user; Recipe 15.6-Recipe 15.9 on using JAAS.