Password Protect any Tomcat WebApp


A few minutes ago I received a small but rather rare request: Please add basic auth to this webapp. As you might guess from the topic of this post, the webapp didn’t provide any user login system. Because of the fact that the installation was only meant to be a prototype running in a virtual sandbox with no changing users or roles, I decided to let Tomcat handle the logins. What follows is a simple step by step howto which will help you to protect any webapp. Enjoy.

The following steps were tested with Tomcat 6.0.29. I think they should work with all currently running Tomcat versions out there. If it didn’t work out for your version, please let me know. Okay so lets start: First of all, we need to enable the MemoryRealm. You can do so by adding this line to the server.xml file inside your tomcats conf directory.

<Realm className="org.apache.catalina.realm.MemoryRealm" />

If you wonder what you’re activating here, please read the Catalina doc:

Then, you want to add a user and a role for your webapp inside the tomcat-users.xml file, which can be found in the same directory.

<role rolename="myrole"/>
<user username="myuser" password="mypassword" roles="myrole"/>

If you would like to share your users over multiple webapps, you might want to create one role per webapp and add these roles to the corresponding users. Multiple roles are being defined by simply writing them all inside the roles attribute, separated by a ‘,’.

The next step will be to add the login information inside the webapp you want to protect. Open your webapp’s web.xml file. If the webapp was already deployed, please keep in mind that a redeploy might invalidate or overwrite the settings you’re about to set. So here we go; Write the following lines in your web.xml (located inside the web-app element).



Make sure that the role-name attribute fits the one you picked in the tomcat-users.xml file. You might also only protect the nasty parts of your application using the URL pattern. However using ‘/*’, the mechanism will protect the whole web application. The basic auth-method is just the simple base64 encoded user:password in the http request header stuff. If you want a more decent solution, read this page for more available auth methods:

I hope you enjoyed the ride.


Leave a comment


  1. very nice and informative post… thanks for sharing.

  2. Thanks for sharing, very useful information.

  3. Hey. Thanks for posting this helpful advice. I just attempted it on a ubuntu 10.04 server with tomcat version 7. At first, it broke my tomcat server but then I removed the Realm tag that was added and everything else is now working as desired. Thanks a bunch. I’m still not sure if my original error was due to the tomcat version or my inexperience but I hope it might help others in this situation.

  4. Hi, what if my app is deployed from .war file and I can’t access web.xml deploy descriptor of my app?

Leave a Reply

You must be logged in to post a comment.