Skip to main content

Basic auth with Apache and Tomcat

This is a short "recipe" article explaining how to configure basic authentication for the following setup:
  • Apache Tomcat with some application that need be partially password-protected
  • Apache HTTP Server 2.4 as a proxy
  • CentOS 7 Linux server
Although basic authentication can be configured within Tomcat itself, my target is to use Apache for that purpose. In addition, as passing unencrypted credentials over the web is insecure, I'm going to install SSL certificates to enable HTTPS for the part of my application. This setup can be used when a part of an internal application need be secured to make it publicly accessible using a separate firewall/proxy (out of scope of this article), that part will be password-protected and SSL-encrypted.

Steps
  1. Copy certificates into /etc/ssl/certs/ivanlagunov.com
  2. Create symlink:
    3. cd /etc/httpd
sudo ln -s /etc/ssl/certs/ivanlagunov.com
  3. Install Apache mod_ssl
    4. sudo yum -y install mod_ssl
  4. Create file with user credentials for basic authentication
    5. sudo htpasswd -c /usr/local/apache/password/.htpasswd_application username
  5. Modify VirtualHost
    6. sudo vi /etc/httpd/conf.d/vhosts.conf
    The following are examples of virtual hosts: 
    <VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/httpd/ivanlagunov.com/Answer/ivanlagunov.com.crt
    SSLCertificateKeyFile /etc/httpd/ivanlagunov.com/Request/ivanlagunov.com.key
    SSLCertificateChainFile /etc/httpd/ivanlagunov.com/Answer/Linux/ivanlagunov.com.ca-bundle
    ServerName ivanlagunov.com

    # Password-protected part of the application is available under HTTPS
    <Location /application/protected_service>
        ProxyPass ajp://localhost:8009/application/protected_service

        AuthType Basic
        AuthName "Protected application"
        # By default, credentials are loaded from the file
        # There are smarter alternatives
        # As a default, the following directive can be omitted
        AuthBasicProvider file
        # Path to the file with user credentials
        AuthUserFile /usr/local/apache/password/.htpasswd_application
        # If Authorization header is not unset
        # Tomcat will return HTTP 401 Unauthorized
        RequestHeader unset "Authorization"
        # Require any valid user, can be limited to specific users
        Require valid-user
    </Location>
</VirtualHost>

<VirtualHost *:80>
    ServerName ivanlagunov.com

    # The whole application is available under HTTP
    ProxyPass /application ajp://localhost:8009/application
</VirtualHost>
  6. Restart Apache
    7. sudo service httpd restart

Results
As a result, the following URLs will be accessible without password:
  • http://ivanlagunov.com/application
  • http://ivanlagunov.com/application/protected_service
The following URL won't be accessible:
  • https://ivanlagunov.com/application
The following URL will be password-protected:
  • https://ivanlagunov.com/application/protected_service
Once again, only the last HTTPS URL is supposed to be made publicly accessible in this setup. HTTP URLs are supposed to be internal-only, hidden behind the firewall. That was an idea but the firewall configuration is out of scope of this article.
Labels:

Comments

Post a Comment

Popular posts from this blog

Connection to Amazon Neptune endpoint from EKS during development

This small article will describe how to connect to Amazon Neptune database endpoint from your PC during development. Amazon Neptune is a fully managed graph database service from Amazon. Due to security reasons direct connections to Neptune are not allowed, so it's impossible to attach a public IP address or load balancer to that service. Instead access is restricted to the same VPC where Neptune is set up, so applications should be deployed in the same VPC to be able to access the database. That's a great idea for Production however it makes it very difficult to develop, debug and test applications locally. The instructions below will help you to create a tunnel towards Neptune endpoint considering you use Amazon EKS - a managed Kubernetes service from Amazon. As a side note, if you don't use EKS, the same idea of creating a tunnel can be implemented using a Bastion server . In Kubernetes we'll create a dedicated proxying pod. Prerequisites. Setting up a tunnel.
Post a Comment
Read more

Notes on upgrade to JSF 2.1, Servlet 3.0, Spring 4.0, RichFaces 4.3

This article is devoted to an upgrade of a common JSF Spring application. Time flies and there is already Java EE 7 platform out and widely used. It's sometimes said that Spring framework has become legacy with appearance of Java EE 6. But it's out of scope of this post. Here I'm going to provide notes about the minimal changes that I found required for the upgrade of the application from JSF 1.2 to 2.1, from JSTL 1.1.2 to 1.2, from Servlet 2.4 to 3.0, from Spring 3.1.3 to 4.0.5, from RichFaces 3.3.3 to 4.3.7. It must be mentioned that the latest final RichFaces release 4.3.7 depends on JSF 2.1, JSTL 1.2 and Servlet 3.0.1 that dictated those versions. This post should not be considered as comprehensive but rather showing how I did the upgrade. See the links for more details. Jetty & Tomcat. JSTL. JSF & Facelets. Servlet. Spring framework. RichFaces. Jetty & Tomcat First, I upgraded the application to run with the latest servlet container versio
1 comment
Read more

Extracting XML comments with XQuery

I've just discovered that it's possible to process comment nodes using XQuery. Ideally it should not be the case if you take part in designing your data formats, then you should simply store valuable data in plain xml. But I have to deal with OntoML data source that uses a bit peculiar format while export to XML, i.e. some data fields are stored inside XML comments. So here is an example how to solve this problem. XML example This is an example stub of one real xml with irrelevant data omitted. There are several thousands of xmls like this stored in Sedna XML DB collection. Finally, I need to extract the list of pairs for the complete collection: identifier (i.e. SOT1209 ) and saved timestamp (i.e. 2012-12-12 23:58:13.118 GMT ). <?xml version="1.0" standalone="yes"?> <!--EXPORT_PROGRAM:=eptos-iso29002-10-Export-V10--> <!--File saved on: 2012-12-12 23:58:13.118 GMT--> <!--XML Schema used: V099--> <cat:catalogue xmlns:cat=
Post a Comment
Read more