Skip to main content

Basic auth with Apache and Tomcat

This is a short "recipe" article explaining how to configure basic authentication for the following setup:
  • Apache Tomcat with some application that need be partially password-protected
  • Apache HTTP Server 2.4 as a proxy
  • CentOS 7 Linux server
Although basic authentication can be configured within Tomcat itself, my target is to use Apache for that purpose. In addition, as passing unencrypted credentials over the web is insecure, I'm going to install SSL certificates to enable HTTPS for the part of my application. This setup can be used when a part of an internal application need be secured to make it publicly accessible using a separate firewall/proxy (out of scope of this article), that part will be password-protected and SSL-encrypted.

  1. Copy certificates into /etc/ssl/certs/
  2. Create symlink:
  3. cd /etc/httpd
    sudo ln -s /etc/ssl/certs/
  4. Install Apache mod_ssl
  5. sudo yum -y install mod_ssl
  6. Create file with user credentials for basic authentication
  7. sudo htpasswd -c /usr/local/apache/password/.htpasswd_application username
  8. Modify VirtualHost
  9. sudo vi /etc/httpd/conf.d/vhosts.conf
    The following are examples of virtual hosts:
    <VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/httpd/
        SSLCertificateKeyFile /etc/httpd/
        SSLCertificateChainFile /etc/httpd/
        # Password-protected part of the application is available under HTTPS
        <Location /application/protected_service>
            ProxyPass ajp://localhost:8009/application/protected_service
            AuthType Basic
            AuthName "Protected application"
            # By default, credentials are loaded from the file
            # There are smarter alternatives
            # As a default, the following directive can be omitted
            AuthBasicProvider file
            # Path to the file with user credentials
            AuthUserFile /usr/local/apache/password/.htpasswd_application
            # If Authorization header is not unset
            # Tomcat will return HTTP 401 Unauthorized
            RequestHeader unset "Authorization"
            # Require any valid user, can be limited to specific users
            Require valid-user
    <VirtualHost *:80>
        # The whole application is available under HTTP
        ProxyPass /application ajp://localhost:8009/application
  10. Restart Apache
  11. sudo service httpd restart

As a result, the following URLs will be accessible without password:
The following URL won't be accessible:
The following URL will be password-protected:
Once again, only the last HTTPS URL is supposed to be made publicly accessible in this setup. HTTP URLs are supposed to be internal-only, hidden behind the firewall. That was an idea but the firewall configuration is out of scope of this article.


Popular posts from this blog

DynamicReports and Spring MVC integration

This is a tutorial on how to exploit DynamicReports reporting library in an existing  Spring MVC based web application. It's a continuation to the previous post where DynamicReports has been chosen as the most appropriate solution to implement an export feature in a web application (for my specific use case). The complete code won't be provided here but only the essential code snippets together with usage remarks. Also I've widely used this tutorial that describes a similar problem for an alternative reporting library. So let's turn to the implementation description and start with a short plan of this how-to: Adding project dependencies. Implementing the Controller part of the MVC pattern. Modifying the View part of the MVC pattern. Modifying web.xml. Adding project dependencies I used to apply Maven Project Builder throughout my Java applications, thus the dependencies will be provided in the Maven format. Maven project pom.xml file: net.sourcefo

Do It Yourself Java Profiling

This article is a free translation of the Russian one that is a transcript of the Russian video lecture done by Roman Elizarov at the Application Developer Days 2011 conference. The lecturer talked about profiling of Java applications without any standalone tools. Instead, it's suggested to use internal JVM features (i.e. threaddumps, java agents, bytecode manipulation) to implement profiling quickly and efficiently. Moreover, it can be applied on Production environments with minimal overhead. This concept is called DIY or "Do It Yourself". Below the lecture's text and slides begin. Today I'm giving a lecture "Do It Yourself Java Profiling". It's based on the real life experience that was gained during more than 10 years of developing high-loaded finance applications that work with huge amounts of data, millions currency rate changes per second and thousands of online users. As a result, we have to deal with profiling. Application pro

Using Oracle impdp utility to reload database

Here I'll show an example of using Oracle Data Pump Import (impdp) utility. It allows importing Oracle data dumps. Specifically, below is the list of steps I used on an existing Oracle schema to reload the data from a dump. Steps to reload the data from an Oracle dump We start with logging into SQL Plus as sysdba to be able to manage users. sqlplus sys/password@test as sysdba Dropping the existing user. CASCADE clause will ensure that all schema objects are removed before the user. SQL> DROP USER test CASCADE; Creating a fresh user will automatically create an empty schema with the same name. SQL> CREATE USER test IDENTIFIED BY "testpassword"; Granting DBA role to the user to load the dump later. Actually, it's an overkill and loading the dump can be permitted using a more granular role IMP_FULL_DATABASE . SQL> GRANT DBA TO test; Registering the directory where the dump is located. SQL> CREATE DIRECTORY dump_dir AS '/home/test/dumpd