RESTful Basic HTTP authentication with tomcat JDBCRealm

Hi All,

In this post I will describe how to secure a web application which expose a RESTful API.

I will use JDBCRealm – an implementation of the Tomcat  Realm interface that looks up users in a relational database accessed via a JDBC driver.

  1. First we need to create three new database tables for storing users and groups:
    users – with two columns: name (primary key) and password (hashed).
    groups – with one column: name (primary key).
    users_groups – with two columns: name & groupname (many to many)
  2. Second we need to enable JDBCRealm at server.xml  by adding:
    <Realm name=”” className=”org.apache.catalina.realm.JDBCRealm”
           connectionName=”root” connectionPassword=””
           userTable=”users” userNameCol=”name”                        userCredCol=”password” 
           userRoleTable=”users_groups” roleNameCol=”groupname”

    (We are storing the password encrypted with sha-256 algorithm)

  3. Now it is recommended to configure tomcat with SSL:
    Generate keystone file and password by running in shell :
    keytool -genkey -alias techtracer -keypass ttadmin -keystore techtracer.bin -storepass ttadmin
    And add to server.xml :
    <Connector SSLEnabled=”true” acceptCount=”100″ clientAuth=”false” disableUploadTimeout=”true” enableLookups=”false” maxThreads=”25″ port=”8443″ keystoreFile=”/your_location/.keystore” keystorePass=”your_password” protocol=”org.apache.coyote.http11.Http11NioProtocol” scheme=”https” secure=”true” sslProtocol=”TLS” />

    <Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″/>

  4. Finally we we need to update web.xml :
We did it!