In tomcat's conf directory there is a file called tomcat-users.xml.
There are a few user accounts already there (Tomcat 3.2.1), one is
called 'tomcat', having a role 'tomcat' (a bit confusing but Java
Servlet API Spec 2.2 might clear that up for you). Next set you web.xml
file up. Something like:
-----------------------------------------
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>Demo</web-resource-name>
<url-pattern>/*</url-pattern>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Example</realm-name>
</login-config>
</web-app>
-----------------------------------------
should be sufficient to grant only 'tomcat' role permission to see the
resource of the site '/*' (basically everything under tomcat's control).
Note that this is done using basic authentication and there is no
encryption involved.
You might want to read JDBCRealm HOWTO if you wish to use an SQL
database to store user accounts and roles.
Hope this is useful (and correct :-)
Bojan
Tim Kang wrote:
>
> I was wondering if anybody knows how to password protect a directory in
> Tomcat environment
>
> Please let me know
>
> Thanks
>
> Tim
