Trifork Blog

Password protecting web applications in tomcat.

January 22nd, 2007 by

A few days back I wanted to take an existing application, deploy it to a staging environment and password protect it without having to change the application code. How hard can it be right? As it turns out it’s not that hard but way, way harder than it should be. There doesn’t seem to be any support for this build into tomcat. So I ended up implementing my own valve that does this. Valves are components that enable Tomcat to intercept a request and pre-process it. They are similar to the filter mechanism of the Servlet specifications, but are specific to Tomcat They have a broader scope than Servlet filters and can be applied to the entire engine, to all applications for a host or a single web application. With this jar in my /server/lib, password protecting an application becomes as simple as

<Context docBase=”../app” debug=”0″ privileged=”true”>
<Valve className=”nl.jteam.tomcat.valves.PasswordValve”
password=”s3cr3t” exclude=”/test.html ” />

3 Responses

  1. January 22, 2007 at 02:09 by john smith

    Not supported in tomcat?

    No code is changed at all.

  2. January 22, 2007 at 08:12 by site admin

    Hi john, I looked at realm based security but discarded it as an option. Using realms would still require you to change the war because you would need to add the security-constraints to the web.xml file for the application.


    – a webapp might already be using realm based authentication to support logins for restricted of the site

    – you can’t exclude url’s from security constraints (i really need that this time aroun)

  3. February 21, 2007 at 13:34 by Rintcius

    The links to your jars do not work. I was particularly interested in the jar containing the GwtInvokerServiceExporter. Could you make them available again?