Password protecting web applications in tomcat.

by Jelmer KuperusJanuary 22, 2007

A few days back I wanted to take an existing application, deploy it to a staging environment and password protect it without having to change the application code. How hard can it be right? As it turns out it’s not that hard but way, way harder than it should be. There doesn’t seem to be any support for this build into tomcat. So I ended up implementing my own valve that does this. Valves are components that enable Tomcat to intercept a request and pre-process it. They are similar to the filter mechanism of the Servlet specifications, but are specific to Tomcat They have a broader scope than Servlet filters and can be applied to the entire engine, to all applications for a host or a single web application. With this jar in my /server/lib, password protecting an application becomes as simple as

<Context docBase=”../app” debug=”0″ privileged=”true”>
<Valve className=”nl.jteam.tomcat.valves.PasswordValve”
password=”s3cr3t” exclude=”/test.html ” />