This tutorial introduces how to do Servlet Basic Authentication Web.xml configuration. With basic authentication of a servlet, the web browser presents a standard login dialog that is not customizable. When a user submits his or her name and password, the server determines whether the user name and password are those of an authorized user and sends the requested web resource if the user is authorized to view it. His or her name and password automatically gets Base64 encoded which do not mean that it is safe. Base64 encoding can be easily decrypted. This is eleventh post of series of Java Servlet Tutorial. This series tutorial will provide you full knowledge about Servlet 3.0.
Table of contents:
1. Configure your credentials
2. Authenticated Servlet
3. Not authenticated Servlet
4. Servlet Basic Authentication Web.XML Configuration
5. Deploy Servlet Basic Authentication Annotation Example
Configure your credentials Username/password
We are using Tomcat 8 to do the Servlet Basic Authentication Web.xml configuration. We use tomcat-users.xml file to register a username/password combination with the appropriate row. This file is located at ../apache-tomcat-8.0.33/conf/tomcat-users.xml.
1 2 3 4 5 6 7 8 9 |
<pre class="lang:default decode:true " ><?xml version='1.0' encoding='utf-8'?> <tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"> <user username="javabycode" password="P@ssw0rd" roles="auth"/> </tomcat-users></pre> |
Authenticated Servlet
In this tutorial, the configuration will be configured in web.xml file so it is easy to us for creating servlet class. Here is the Authenticated servlet:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
package com.javabycode; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; public class AuthServlet extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { PrintWriter out = resp.getWriter(); out.write("Your credentials are authenticated to access web application"); } } |
Not authenticated Servlet
We should create a servlet without security such as the example opposite with the Authenticated Servlet
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
package com.javabycode; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; public class NotAuthServlet extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { PrintWriter out = resp.getWriter(); out.write("The authentication is not required"); } } |
Servlet Basic Authentication Web.XML Configuration
Firstly, we should register two servlets into web.xml and do sercurity configuration such as :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1"> <servlet> <servlet-name>auth-servlet</servlet-name> <servlet-class>com.javabycode.AuthServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>auth-servlet</servlet-name> <url-pattern>/auth</url-pattern> </servlet-mapping> <servlet> <servlet-name>notauth-servlet</servlet-name> <servlet-class>com.javabycode.NotAuthServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>notauth-servlet</servlet-name> <url-pattern>/notauth</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>auth-url</web-resource-name> <url-pattern>/auth/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>auth</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>default</realm-name> </login-config> <security-role> <role-name>auth</role-name> </security-role> </web-app> |
Let’s dig deeper in this xml snippet
We suppose that you know about the servlet registration already and we only focus on the servlet basic authentication configuration. To enable basic authentication for the service, we must add security elements to the application deployment descriptor, web.xml. The security elements that need to be added to the deployment descriptor include the <security-constraint> and <login-config>elements.
Each <security-constraint> element must have one or more <web-resource-collection> elements. These define the area of the Web Application to which this security constraint is applied.
<web-resource-collection>: A list of URL patterns (the part of a URL after the host name and port you want to constrain) and HTTP operations (the methods within the files that match the URL pattern you want to constrain) that describe a set of resources to be protected.
<auth-constraint>: Specifies whether authentication is to be used and names the roles authorized to perform the constrained requests. For more information about authorization constraints
web-resource-name
<login-config> specifies type of authentication that we are going to use. In our case we will configure the BASIC config.
Deploy Servlet Basic Authentication Annotation Example
Make a request with servlet basic authentication by the address URL: http://localhost:8080/servlet-auth-xml/auth
Typing the credentials such as username=javabycode and password=P@ssw0rd then getting the result
If you type the incorrect credentials you will get the error such as the screen shot
Make another request without servlet basic authentication by the address URL: http://localhost:8080/servlet-auth/notauth
You will get the result such as
That’s all on how to do a Servlet Basic Authentication Web.xml Configuration in Java. You can also find other servlet example in the series of Java Servlet Example. Hope that it is useful to you.
Download complete source code, please click link below
Servlet-Basic-Authentication-Xml-Example.zip (323 downloads)
Happy learning!