Java Support all kind of HTTP authentication schemes butunfortunately there is not a single good source available on the webwhich explains in detail how to do the required setup etc.

As part of this blog we will discuss about Basic and Digestauthentication and I'll try to explain in as much detail as possible todo the required setup on tomcat webserver and how Java handlesauthentication schemes.

Basic Authentication:

The basic access authenticationis a method designed to allow a web server, or other client program, toprovide credentials ? in the form of a user-name and password ? whenmaking a request.

Tomcat handles most of the authentication using different types of realms. A Realm is a "database" of usernames and passwords thatidentify valid users of a web application (or set of web applications), plusan enumeration of the list of rolesassociated with each valid user. To make basic authentication work withtomcat we will use the default realm i.e. "UserDatabaseRealm"

Step I : Update the "/conf/tomcat-users.xml" with roles,user-name and pssword information as follows:





StepII: Next step is how to protect web contents using basic authenticationscheme. When a user tries to access this protected web application ,webbrowser is going to ask for a usernameand password. To switch on the basic authentication sceheme addfollowing to web.xml related to web application e.g. for protectingcontents under /webapps/basicAuth we need toupdate the web.xml under /webapps/basicAuth/WEB-INF


app /tests/* sunuser BASIC testBasicRealm Step III: Try to run an applet sitting under/webapps/basicAuth. You will see a authenticationpop-up from browser. Supply user: jituB and pass: jitu20 ( samespecified inside the tomcat-users.xml under step I)

Make surethat there is no authentication pop-up from Java. If you are able toload applet successfully after supplying the valid set of user/passthen your setup is successfull




Digest Authentication:

Digestauthentication is nothing but encrypted use of the Basicauthentication, allowing user identity to be established securelywithout having to send a password in plain text over the network. Inmanyenvironments, use of Basic Authentication is undesirable because casualobservers of theauthentication data can collect enough information to log onsuccessfully, and impersonate other users. To avoid this problem, thestandard implementations support the concept of digestinguser passwords

To make digest authentication work with tomcat we will use the defaultrealm i.e. "UserDatabaseRealm" and but in this case stored version ofthe passwords will beencoded ,in a form that is not easily reversible, but theRealm implementation can still utilize forauthentication.

Before moving onto the setup details , I would like to discuss in brief about Realm configuration.Thisis important in the sense that in order make digest authentication workwe need to make some changes to the default settings"UserDatabaseRealm" and if you are trying to use the same webserver forboth types of authentictaion then it's better to do Realm configuration in some effective way as described below:

  • Inside an element - This Realm will be shared across ALL web applications on ALL virtual hosts, UNLESS it is overridden by a Realm element nested inside a subordinate or element.
  • Inside a element - This Realm will be shared across ALL web applications for THIS virtual host, UNLESS it is overridden by a Realm element nested inside a subordinate element.
  • Inside a element - This Realm will be used ONLY for THIS web application
Asexplained above it's better to have Realm configured at HOST or Contextlevel and for that we need to perform one extra step here. For exampleswe want to secure contents under/webapps/digestAuth/tests


Step I:Make sure that REALM is not configured ar Engine level and for thatcreate a "digestAuth.xml"/conf/Catalina/localhost/. "digestAuth.xml" shouldcontain something like as follows:







StepII : Generate a digested password from the cleartext password usingtomcat utility "/bin/digest.sh" as explained below


digest -a MD5 jituD:digestTestsRealm:jitu This will return jituD:digestTestsRealm:jitu:b31b9667a9e4748187d693 6a29cb12ed Note:

  • We have provided MD5alogrithm since it's defined under Step I while confiuring the realm.Ifyou want to use SHA then Realm configuration under Step I needs to bechanged accrodingly
  • Input to utitlity "digest" i.e."jituD:digestTestsRealm:jitu" is a combination ofuser_name:realm_name:password. That mean in this case "jituD" is goingto the username and "jitu" is going to be the password used to accessthe web application while "digestTestsRealm" is name of the realmagainst which we are trying to setup the digest authentictaion. Pointto be noted here that realm_name given here "digestTestsReal" shouldmatch with value of defined inside the web.xml (see Step III below)
Notedown the returned encrypted password "b31b9667a9e4748187d6936a29cb12ed"and update the "/conf/tomcat-users.xml" withroles,user-name and password information as follows:





StepIII: Next step is how to protect web contents using digestauthentication scheme. When a user tries to access this protected webapplication,web browser is going to ask for a usernameand password. To switch on the digest authentication scheme addfollowing to web.xml inside/webapps/digestAuth/WEB-INF


app /tests/* sunsqeuser DIGEST digestTestsRealm Step IV: Try to run an applet sitting under/webapps/digestAuth/tests.You will see a authentication pop-up from browser. Note that thispop-up is going to be different from what we got while running thebasic authentication scenarios. Supply user: jituDand pass: jitu

Due to bug in Java unlike basicauthentication we will get authentication pop-up from Java also.Supply againt the same set of user/pass ie. user: jituDand pass: jitu

If you are able to load applet successfully after supplying the valid set of user/pass then your setup is successfull

In my next blog I'll discuss the form baes authenitcation and most complicated client authentication.

More...