RESTful Basic HTTP authentication with tomcat JDBCRealm

Hi All,

In this post I will describe how to secure a web application which expose a RESTful API.

I will use JDBCRealm – an implementation of the Tomcat  Realm interface that looks up users in a relational database accessed via a JDBC driver.

  1. First we need to create three new database tables for storing users and groups:
    users – with two columns: name (primary key) and password (hashed).
    groups – with one column: name (primary key).
    users_groups - with two columns: name & groupname (many to many)
  2. Second we need to enable JDBCRealm at server.xml  by adding:
    <Realm name=”” className=”org.apache.catalina.realm.JDBCRealm”
           driverName=”org.gjt.mm.mysql.Driver”
           connectionURL=”jdbc:mysql://localhost/db_name”
           connectionName=”root” connectionPassword=””
           userTable=”users” userNameCol=”name”                        userCredCol=”password” 
           userRoleTable=”users_groups” roleNameCol=”groupname”
           digest=”sha-256″/>

    (We are storing the password encrypted with sha-256 algorithm)

  3. Now it is recommended to configure tomcat with SSL:
    Generate keystone file and password by running in shell :
    keytool -genkey -alias techtracer -keypass ttadmin -keystore techtracer.bin -storepass ttadmin
    And add to server.xml :
    <Connector SSLEnabled=”true” acceptCount=”100″ clientAuth=”false” disableUploadTimeout=”true” enableLookups=”false” maxThreads=”25″ port=”8443″ keystoreFile=”/your_location/.keystore” keystorePass=”your_password” protocol=”org.apache.coyote.http11.Http11NioProtocol” scheme=”https” secure=”true” sslProtocol=”TLS” />

    <Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″/>

  4. Finally we we need to update web.xml :
    <security-constraint>
            <web-resource-collection>
                    <web-resource-name>your_server</web-resource-name>
                    <url-pattern>/*</url-pattern>
                    <http-method>GET</http-method>
                    <http-method>POST</http-method>
                    <http-method>PUT</http-method>
                    <http-method>DELETE</http-method>
            </web-resource-collection>
            <auth-constraint>
                    <role-name>server-user</role-name>
            </auth-constraint>
            <user-data-constraint>
                    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
    </security-constraint>
    <login-config>
            <auth-method>BASIC</auth-method>
    </login-config>
We did it!
About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s