|+ ${TOMCAT_HOME} |+ webapps |+ auth |+ WEB-INF |+ web.xml |+ jsp |+ index.jsp

You need to activate the users/roles that will be authorized to authenticate to the application.

File location: ${TOMCAT_HOME}/conf/tomcat-users.xml

Example:
<role rolename="tomcat"/> <user username="tomcat" password="tomcat" roles="tomcat"/>

You need to configure your application so it will handle DIGEST Authentication.

File location: ${TOMCAT_HOME}/webapps/auth/WEB-INF/web.xml

<?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0" metadata-complete="true"> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>Web Resource - Allow GET method</web-resource-name> <url-pattern>/jsp/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>tomcat</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>tomcat</role-name> </security-role> <login-config> <auth-method>DIGEST</auth-method> <realm-name>UserDatabase</realm-name> </login-config> </web-app>

Here's a simple page that will show the connected user.

File location: ${TOMCAT_HOME}/webapps/auth/jsp/index.jsp

<html> <head> <title>Index Page</title> </head> <body> User: <b><%= request.getRemoteUser() %> </body> </html>

URL: http://localhost:8080/auth/jsp/



Here are the requests headers as it will be send by the browser, and the responses headers as it will be send back by Tomcat:

• First, the browser will send these headers as part of the request: GET /auth/jsp/ HTTP/1.1 Host: localhost:8080 ...
  
• Second, Tomcat will send back these headers as part of the response (401 Unauthorized): HTTP/1.1 401 WWW-Authenticate: Digest realm="UserDatabase", qop="auth", nonce="1477333786610:4694e697ce28d3fec1f84a34cb086ad4", opaque="A61241EB4E820D515BBC0FC63C3B12D2" ...
  
• When you fill your username/password and you click the "Log In" button, the browser will send these headers as part of the request: GET /auth/jsp/ HTTP/1.1 Host: localhost:8080 Authorization: Digest username="tomcat", realm="UserDatabase", nonce="1477333786610:4694e697ce28d3fec1f84a34cb086ad4", uri="/auth/jsp/", response="f148822e4c467ad9827d3554526f7739", opaque="A61241EB4E820D515BBC0FC63C3B12D2", qop=auth, nc=00000001, cnonce="58960d3f673835e1" ...
  
• Then Tomcat will send back these headers as part of the response (200 OK): HTTP/1.1 200 Set-Cookie: JSESSIONID=09DA19AE05A9132A594F5B4D0E4ECC9E;path=/abc/;HttpOnly ...