|+ ${TOMCAT_HOME} |+ webapps |+ auth |+ WEB-INF |+ web.xml |+ jsp |+ index.jsp

You need to activate the users/roles that will be authorized to authenticate to the application.

File location: ${TOMCAT_HOME}/conf/tomcat-users.xml

Example:
<role rolename="tomcat"/> <user username="tomcat" password="tomcat" roles="tomcat"/>

You need to configure your application so it will handle BASIC Authentication.

File location: ${TOMCAT_HOME}/webapps/auth/WEB-INF/web.xml

<?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0" metadata-complete="true"> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>Web Resource - Allow GET method</web-resource-name> <url-pattern>/jsp/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>tomcat</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>tomcat</role-name> </security-role> <login-config> <auth-method>BASIC</auth-method> <realm-name>UserDatabase</realm-name> </login-config> </web-app>

Here's a simple page that will show the connected user.

File location: ${TOMCAT_HOME}/webapps/auth/jsp/index.jsp

<html> <head> <title>Index Page</title> </head> <body> User: <b><%= request.getRemoteUser() %> </body> </html>

URL: http://localhost:8080/auth/jsp/



Here are the requests headers as it will be send by the browser, and the responses headers as it will be send back by Tomcat:

• First, the browser will send these headers as part of the request: GET /auth/jsp/ HTTP/1.1 Host: localhost:8080 ...
  
• Second, Tomcat will send back these headers as part of the response (401 Unauthorized): HTTP/1.1 401 WWW-Authenticate: Basic realm="UserDatabase" ...
  
• When you fill your username/password and you click the "Log In" button, the browser will send these headers as part of the request: GET /auth/jsp/ HTTP/1.1 Host: localhost:8080 Authorization: Basic dG9tY2F0OnRvbWNhdA== ...
  
• Then Tomcat will send back these headers as part of the response (200 OK): HTTP/1.1 200 Set-Cookie: JSESSIONID=A5A77952719D6CAB6C908C9010ED3F87;path=/abc/;HttpOnly ...
  

Notes:
You can decode the encoded values ent by the browser (Authorization: Basic dG9tY2F0OnRvbWNhdA==) by using the following Java code: byte[] decodedValue = Base64.getDecoder().decode("dG9tY2F0OnRvbWNhdA=="); System.out.println(new String(decodedValue, "UTF-8"));
Output: tomcat:tomcat

You can also use the following web site: https://www.base64decode.org