Security Configs for Tomcat Applications

KB Product Documentation Java Java App Servers Tomcat and TomEE Tomcat Security Viewed: 3575
0 0

Security Configs for Tomcat Applications

These guidelines describe how to secure an application that is being used on the platform’s Tomcat server. To limit access to your app, we provide the following two solutions:

can choose either method or use both together.

Authentication

To configure authentication on a Tomcat server, take the following actions:

Step 1. Launch the platform dashboard and choose the Tomcat server in your environment by clicking the “Config” icon next to it.

Step 2. Open the `tomcat-users.xml` file by double-clicking on it after navigating to the `/opt/tomcat/conf} folder. Use this syntax to add new user roles and credentials:


<user username="test" password="test" roles="admin">

Tomcat-users.xml

Save the changes.

Step 3. Next, configure the security constraints for the newly formed user by going to the `web.xml` file located in the same `/opt/tomcat/conf} folder.


<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>

Web.xml file

Step 4. Restart your Tomcat application server after saving the modifications.

When users attempt to access the application, they should see an authentication window if everything is configured correctly.

Authentication window

Deny Client IP Addresses

Take the following actions to prevent certain IP addresses from accessing your web application:

Step 1. Select the Tomcat server where your application is deployed by clicking the “Config” button.

Step 2. Open the `context.xml` file from the `/opt/tomcat/webapps/ROOT/META-INF} folder.

Step 3. Add the following lines to the `context.xml` file:


<Context antiJARLocking="true" path="/">
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
<Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="{IP_address}" />
</Context>

context.xml file

Step 4. Restart the Tomcat server after clicking the “Save” button.

Users with blocked IP addresses will encounter an HTTP Status 403 error when attempting to access your application after these modifications are made.