tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Configuring Tomcat 6 to use basic authentication only on https connectors
Date Thu, 24 Mar 2011 19:03:41 GMT
Hash: SHA1


On 3/24/2011 1:49 PM, Gaugusch, Gerhard wrote:
> is there a way to configure tomcat 6 to use basic authentication only
> on https connectors? I know that it is possible to define in each
> deployed application via web.xml to allow only https connections. 
> What I am searching for is a way to prevent all deployed applications
> to use basic authentication without https. But i dont want to touch
> each application itself.

So, you want to do one of the following:

1. Always use HTTPS

2. Require requests with BASIC authentication headers to always use HTTPS

If your requirement is the first listed above, you could simply not
define a non-HTTPS connector, or configure conf/web.xml (that's the
site-wide deployment descriptor) with a <security-constraint> that
specifies "/*" as the url-pattern and CONFIDENTIAL as the

If you want the second, and you want to do it site-wide without touching
any of the web apps, I think you'll have to write a Valve (or a Filter
if you're using Tomcat 7) and install it in conf/context.xml.

This Filter (or Valve) would inspect the request and perform a redirect
if it sees HTTP + BASIC Auth headers. You should probably also look for
(non-secure) HTTP responses that send a 401 status code and change those
to a 30x response to avoid clients sending BASIC authentication
information in the first place.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message