Secure Tomcat Hosting: Restrict Access to Your Web Application
Locking down your web app is unavoidable. We take a look at how to restrict access to your Tomcat-based web app in this post.
Join the DZone community and get the full member experience.
Join For Free
Is it possible to have too much security while running your own app? Nowadays, applications are a common target of potential attacks and vulnerabilities. As a result, having the ability to restrict access to your application is critical for your business.
In this article, we will guide how to protect your application running on a Tomcat server in Jelastic. We recommend two possible solutions on how to restrict access to your application (you can choose one of them or use both):
- Requesting the user authentication.
- Denying the access to specified IP addresses.
With the authentication settings, you can specify several users and provide them different levels of access by stating the roles. And, if you're aware of harmful actions targeted to your app from specific IP addresses - simply restrict access per abuser.
Let's get started and share the required configurations step-by-step.
Authentication
To request the user authentication for accessing your Tomcat-based web application, perform the following actions:
1. Navigate to the environment where your application is deployed. Click the Config button for your Tomcat server.
2. Open the opt/tomcat/conf/ folder and select the tomcat-users.xml file.
3. Add new users with the required credentials and roles. Save the changes.
For example:
<user username="test" password="test" roles="admin"/>
<user username="test1" password="test1" roles="user"/>
4. Go to the web.xml file within the same folder and specify the security constraint for the newly created user.
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
5. Save the changes and Restart your Tomcat server.
As a result, while accessing the application, a user will be requested to authenticate. 
Client IP Address Access Deny
In order to set the access deny to your web-application for the certain client IP addresses perform the following:
1. Navigate to the environment with your application deployed. Press Config button for the Tomcat server.
2. Go to the /opt/tomcat/webapps/ROOT/META-INF folder and open the context.xml file.
3. Add the following strings to the context.xml file as shown below:
<Context antiJARLocking="true" path="/">
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
<Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="{IP_address}" />
</Context>
Note: If there is no context.xml file in your /opt/tomcat/webapps/ROOT/META-INF folder, you need to create it, add all the above-mentioned strings, and restart your Tomcat server for the changes to be applied.
4. Save the changes and Restart your Tomcat server.
Subsequently, the user with the denied IP address will see the HTTP Status 403 while trying to access your application. 
And that's all! Simply, isn't it?
Just a few easy steps are required to protect your app from abusive users. These are just some basic settings that can be implemented to make your web application more secure. If you are interested in additional methods of protection, feel free to leave your comments below stating the problem you want to solve.
Published at DZone with permission of Tetiana Fydorenchyk, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments