java - Centrally secure all tomcat webapps using BASIC authentication

Question

I have a Tomcat 6 server containing three webapps: a custom one as ROOT, Jenkins and Nexus.

I would like to secure all three centrally (server.xml?) using BASIC authentication.

How can I achieve this without modifying or configuring the webapps themselves?

Answer 1

First I tried (without success) to include the BasicAuthenticator valve in conf/context.xml. This didn't seem to have any effect.

Finally I got it to work (secured all webapps) by adding this snippet to conf/web.xml :

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Basic Authentication</web-resource-name>
<!--Here wildcard entry defines authentication is needed for whole app -->
            <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>myrole</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

<security-role>
    <description>My role</description>
    <role-name>myrole</role-name>
</security-role>