How to password protect a directory in Tomcat?
Hi there,
My configuration is as follows.
Apache2 + mod_jk + Tomcat 5
I have enabled the CGI processing servlet (org.apache.catalina.servlets.CGIServlet) in$CATALINA_HOME/conf/web.xml file. Now I can successfully run my perl CGI scripts. All my CGI scripts are located in the directory$CATALINA_HOME/webapps/mywebapp/WEB-INF/cgi/
I want to secure these CGI scripts by password protecting the above mentioned directory.
I've read the docs and I think configuring theconf/server.xml file along withconf/tomcat-users.xml file is the best way of doing it. Am I right? If so, can anyone here please tell me how to proceed with this? What do I need to add to server.xml and tomcat-users.xml to password protect the afore mentioned directory?
Thank you very much for reading. I really appreciate your response.
Regards,
Shashi
# 1
There should not be any need to password protect any directories under WEB-INF since the server is not supposed to allow access to those directories by default.
# 2
Thanks for a quick reply, Tolmank! You might not be aware of how the CGI servlet shipped with Tomcat works. Here is the relevant portion of the conf/web.xml file for your reference.
Thanks,
Shashi
<!-- Common Gateway Includes (CGI) processing servlet, which supports-->
<!-- execution of external applications that conform to the CGI spec-->
<!-- requirements. Typically, this servlet is mapped to the URL pattern -->
<!-- "/cgi-bin/*", which means that any CGI applications that are -->
<!-- executed must be present within the web application. This servlet-->
<!-- supports the following initialization parameters (default values-->
<!-- are in square brackets): -->
<servlet>
<servlet-name>cgi</servlet-name>
<servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>cgiPathPrefix</param-name>
<param-value>WEB-INF/cgi</param-value>
</init-param>
<load-on-startup>5</load-on-startup>
</servlet>
# 3
Which means that you would password protect the CGIServlet and not the WEB-INF/cgi directory.
# 4
WoW! You are right, Tolmank! I guess I must password protect the CGI Servlet. Any hints on how I should go about doing so?thanks,Shashi
# 5
You might find this useful (if you only have Tomcat):
http://www.jguru.com/faq/view.jsp?EID=1082911
Do you have Apache HTTP Server , and Tomcat ? or just Tomcat?
If you have Apache HTTP Server with Tomcat, you can create
.htaccess files, or you can configure mod_rewirte to password protect any directory. Google has lots of documentation on .htaccess and mod_rewrite.
You can ask Tomcat related questions (for a better reply and also because the topic is closely related to Tomcat) on the Tomcat mailing list:
http://tomcat.apache.org/lists.html
# 6
Assuming you have mapped your CGI servlet to requests that have a.cgi extension add the following to the bottom of your web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>*.cgi</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Server Configuration Form-Based Authentication Area</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
The conf/tomcat-users.xml file contains the roles, usernames and passwords that can access the protected resources. Thsi should get you started.
# 7
Thank you for all the help. tolmank!! That did the trick! :)warm regards,Shashi
