DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > Secure Tomcat Hosting: Restrict Access to Your Web Application

Secure Tomcat Hosting: Restrict Access to Your Web Application

Locking down your web app is unavoidable. We take a look at how to restrict access to your Tomcat-based web app in this post.

Tetiana Fydorenchyk user avatar by
Tetiana Fydorenchyk
·
Apr. 23, 18 · Security Zone · Tutorial
Like (12)
Save
Tweet
15.60K Views

Join the DZone community and get the full member experience.

Join For Free

Is it possible to have too much security while running your own app? Nowadays, applications are a common target of potential attacks and vulnerabilities. As a result, having the ability to restrict access to your application is critical for your business.

In this article, we will guide how to protect your application running on a Tomcat server in Jelastic. We recommend two possible solutions on how to restrict access to your application (you can choose one of them or use both):

  • Requesting the user authentication.
  • Denying the access to specified IP addresses.

With the authentication settings, you can specify several users and provide them different levels of access by stating the roles. And, if you're aware of harmful actions targeted to your app from specific IP addresses - simply restrict access per abuser.

Let's get started and share the required configurations step-by-step.

Authentication

To request the user authentication for accessing your Tomcat-based web application, perform the following actions:

1. Navigate to the environment where your application is deployed. Click the Config button for your Tomcat server.

2. Open the opt/tomcat/conf/ folder and select the tomcat-users.xml file.

3. Add new users with the required credentials and roles. Save the changes.

For example:

<user username="test" password="test" roles="admin"/>
<user username="test1" password="test1" roles="user"/>

4. Go to the web.xml file within the same folder and specify the security constraint for the newly created user.

<security-constraint>
 <web-resource-collection>
  <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
  <role-name>admin</role-name>
  <role-name>user</role-name>
 </auth-constraint>
</security-constraint>

<login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>Test Realm</realm-name>
</login-config>

5. Save the changes and Restart your Tomcat server.

As a result, while accessing the application, a user will be requested to authenticate.

Client IP Address Access Deny

In order to set the access deny to your web-application for the certain client IP addresses perform the following:

1. Navigate to the environment with your application deployed. Press Config button for the Tomcat server.

2. Go to the /opt/tomcat/webapps/ROOT/META-INF folder and open the context.xml file.

3. Add the following strings to the context.xml file as shown below:

<Context antiJARLocking="true" path="/">
 <Valve className="org.apache.catalina.valves.RemoteIpValve" />
 <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="{IP_address}" />
</Context>

Note: If there is no context.xml file in your /opt/tomcat/webapps/ROOT/META-INF folder, you need to create it, add all the above-mentioned strings, and restart your Tomcat server for the changes to be applied.

4. Save the changes and Restart your Tomcat server.

Subsequently, the user with the denied IP address will see the HTTP Status 403 while trying to access your application. And that's all! Simply, isn't it?

Just a few easy steps are required to protect your app from abusive users. These are just some basic settings that can be implemented to make your web application more secure. If you are interested in additional methods of protection, feel free to leave your comments below stating the problem you want to solve.

Web application Apache Tomcat security

Published at DZone with permission of Tetiana Fydorenchyk, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Bad or Good? Behavior Driven Development within Scrum.
  • Brewing Patterns in Java: An Informal Primer
  • A Guide to Maven 3 Beta
  • Verizon’s Data Breach Report: Cloud Security Insights

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo