In this section, we will learn how to protect resources in the Tomcat server. To keep the example consistent with the one we learned in the previous section for GlassFish, we will protect all pages in the admin folder. We will use the CourseManagementJDBC project we created in Chapter 4, Creating JEE Database Applications, to get started. Recall that in Chapter 4, Creating JEE Database Applications, we deployed this project in the Tomcat server. Perform the following steps to import a project into the new workspace for this chapter and configure Tomcat:
- Copy the CourseManagementJDBC project from the Chapter 7, Creating JEE Applications with EJB, project folder to the current workspace. Import the project into the new workspace (open the File | Import menu and then select Maven | Existing Maven Projects).
- Configure Tomcat, as described in the Configuring Tomcat in Eclipse
section in Chapter 1, Introducing JEE and Eclipse. - Make sure the application is added to the server and runs as expected. See the Running JSP in Tomcat section in Chapter 2, Creating a Simple JEE Web Application.
- Copy the admin folder from CourseManagementMavenWebApp (see the previous section in this chapter) to src/main/webapp in the CourseManagementJDBC project. So, the code to protect the admin folder is the same for projects in GlassFish and Tomcat.
So, now you should have the CourseManagementJDBC project and Tomcat configured in Eclipse.
We will now modify web.xml to add security constraints, as we did in the previous section for GlassFish:
<security-constraint>
<display-name>Admin resources</display-name>
<web-resource-collection>
<web-resource-name>admins</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
There are two differences in the preceding configuration compared with the same for GlassFish:
- There is no need to map role-name to group names as we did in GlassFish. Therefore, the role name is changed from admin-role to just admin in <auth-constaint>.
- There is no need for the <realm-name> tag in <login-config>.
Let's now configure the JDBC realm in Tomcat by adding the <realm> tag in server.xml. If you are using Tomcat configured in Eclipse to run the application, then you can access server.xml by expanding the Servers node in Project Explorer:
If you are running Tomcat outside Eclipse, then you will find server.xml at $CATALINA_BASE/conf/server.xml.
Add the following realm tag in server.xml, inside the <Engine defaultHost="localhost" name="Catalina"> node:
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost:3306/course_management"
connectionName="<your-db-username>"
connectionPassword="<your-db-password>"
userTable="user_group_view"
userNameCol="user_name"
userCredCol="password"
userRoleTable="user_group_view"
roleNameCol="group_name" />
The Tomcat admin module needs to access our MySQL database, so we need to make the MySQL JDBC driver available to the admin module. Copy the MySQL JDBC driver in <tomcat-install-dir>/lib. You can download the driver from https://dev.mysql.com/downloads/connector/j/, if you haven't already done so.
That is all that is required to protect folders in Tomcat. Restart the server and browse to http://localhost:8080/CourseManagementJDBC/admin/admin.jsp. You should see the login page.