Okay, so I had a play with Realm Authentication…

First things was where the <Realm> tag should go. Umm, I’m a little unfamiliar with Tomcat. Tracked it down eventually – lots of examples of realm tags in server.xml. Not the right place still – I just want this to apply to my single web application – but good enough for now.

The realm tag I used was:
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost/jtest"
connectionName="root" connectionPassword="password"
userTable="tusers" userNameCol="cUser" userCredCol="cPwd" userRoleTable="troles" roleNameCol="cRole"/>
Naturally, this requires the MySQL JDBC driver from Mysql.com. Download it, and place it into the $Tomcatcommonlib directory (still with me?)

Careful that you actually enter the correct password – some idiots try to configure the JDBC connection with the wrong password

Next up, set up some tables in MySQL:

Table tusers:
+-------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+-------------+------+-----+---------+-------+
| cUser | varchar(32) | | PRI | | |
| cPwd | varchar(32) | | | | |
+-------+-------------+------+-----+---------+-------+

Table troles:
+-------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+-------------+------+-----+---------+-------+
| cUser | varchar(32) | | MUL | | |
| cRole | varchar(32) | | | | |
+-------+-------------+------+-----+---------+-------+
And populate with data:
+-------+-------+
| cUser | cPwd |
+-------+-------+
| Alice | bingo |
| Bob | chuck |
| Eve | daily |
+-------+-------+

+-------+-------+
| cUser | cRole |
+-------+-------+
| Alice | user |
| Alice | admin |
| Bob | user |
+-------+-------+
So, we’ve got our user and role tables set up, Tomcat configured to query it – only 2 more essential components to configure. What, you ask, with baited breath. (Actually, would baited breath not smell? I digress…)

We need content to apply our permissions to, and a web deployment descriptor (web.xml) to describe the security applied to these resources.

I created 2 html files. That’s right, just HTML, not servlets, not JSP, just static html. I created user.html and admin.html :
<html>
<head><title>UserAuth</title></head>
<body>User Perm Authenticated</body>
</html>
Admin.html is the same, just with ‘admin’ where it says ‘user’.

In my $Tomcatwebapps directory, I created a new directory ‘test’. Beneath this, I created a directory ‘html’ and I put the html files in there. It just seemed like a good idea, though I guess you could stick it under the root – just you’ve have to specify a different <security-constraint>. See below, you’ll get what I mean.

I also created a WEB-INF directory for the web.xml file. I then wrote my web.xml file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">

</web-app>
Things to notice – I have seperate <security-constraints> for the two html files, though as it is a pattern match on the path, you don’t have to. And I have two roles, user and admin.

That’s it, really. Try going to the path for each of the files and logging in as Alice, Bob and Eve. ‘Nuff said.