Hi All,
In this post I will describe how to secure a web application which expose a RESTful API.
I will use JDBCRealm – an implementation of the Tomcat Realm interface that looks up users in a relational database accessed via a JDBC driver.
- First we need to create three new database tables for storing users and groups:
users – with two columns: name (primary key) and password (hashed).
groups – with one column: name (primary key).
users_groups – with two columns: name & groupname (many to many) - Second we need to enable JDBCRealm at server.xml by adding:
<Realm name=”” className=”org.apache.catalina.realm.JDBCRealm”
driverName=”org.gjt.mm.mysql.Driver”
connectionURL=”jdbc:mysql://localhost/db_name”
connectionName=”root” connectionPassword=””
userTable=”users” userNameCol=”name” userCredCol=”password”
userRoleTable=”users_groups” roleNameCol=”groupname”
digest=”sha-256″/>
(We are storing the password encrypted with sha-256 algorithm)
-
Now it is recommended to configure tomcat with SSL:
Generate keystone file and password by running in shell :keytool -genkey -alias techtracer -keypass ttadmin -keystore techtracer.bin -storepass ttadmin.
And add to server.xml :<Connector SSLEnabled=”true” acceptCount=”100″ clientAuth=”false” disableUploadTimeout=”true” enableLookups=”false” maxThreads=”25″ port=”8443″ keystoreFile=”/your_location/.keystore” keystorePass=”your_password” protocol=”org.apache.coyote.http11.Http11NioProtocol” scheme=”https” secure=”true” sslProtocol=”TLS” />
<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″/>
- Finally we we need to update web.xml :
<security-constraint>
<web-resource-collection>
<web-resource-name>your_server</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>server-user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>