Tomcat - Basic access authentication

Hello,

I am trying to restrict access to Tomcat applications on a server to specific users, without being prompt for username and password.
However, all the attempts  using basic authentication led me to : 1 - either restrict the access not just to the applications, but to the manager page as well (when I made the amendment on server.xml); 2 - or restrict the applications (by amending the context.xml).
The first outcome is not ideal as I need only the applications to be restricted, the second outcome requires extra checks once a deployment happens as the context.xml is going to  be replaced as part of the process (and it is also not ideal to have credentials saved in the code).

Any suggestion on using a token authentication between the servers/users to access the applications running on a Tomcat server?

Thanks in advance.

Welcome to the Ranch, Merlin!

How do you propose to limit access to "authorized users" if you do not know who the user (userid) is?  

There are a number of authentication mechanisms available, but knowing who is who is pretty much essential to all of them, and especially if different users have different privileges.

Hello Tim,

Thanks a lot for the welcome greetings and for replying to my very first post!  

You are right, I should have explained better who the users are.
I want to limit access to specific servers, say only server A,B,C will have access granted to the web applications running on my Tomcat server.
The reason why I would like to avoid user/password prompt is because the request to access the content comes from a servers ('the users'), instead of a 'real user'.
So I have attempted to restrict the access by IP only, and got stuck on restrict access not just to the applications, but to the manager page as well.
I am searching now the possibility of passing the 'credentials/token' of the servers that I want to grant access to the applications via the https parameters, but still no success.  

Merlin

If you strictly need to control access based on IP address, then I would use iptables or firewalld so that only authorized endpoints ever reach the server.

If you need control based on additional factors such as request URI, I would also/instead use nginx or httpd as a reverse proxy.  Using a reverse proxy can provide additional benefits such as:
  - security gateway to offload TLS processing from backend servers
  - load balancer to distribute to multiple server instances
  - rate limiter to help reduce DOS
  - in the case of a microservice architecture act as a service router to forward the requests to the responsible microservices

In addition, I would use JWT or some other token mechanism and use the roles/groups claims to control access to individual services/methods.

First, let me second Ron's advocacy for fronting Tomcat with a reverse proxy. In addition to the reasons he gave, there's one more very important one: Tomcat cannot listen on ports 80 and 443 safely, but a reverse proxy can.

To filter requests based on whether they are internal or external, you have 2 options. One is to use a reverse proxy and forbid the internal URLs from external servers. You'd probably just want to forbid them entirely in the proxy and have the internal servers talk to Tomcat directly. Most firewalls cannot filter by URL, and as mentioned, a reverse proxy is a useful thing to have in general.

The other option does require assigning user IDs to the internal servers. I'm assuming based on what I've heard that all external users are going to be anonymous. To avoid a password challenge, however, you can configure Tomcat to authenticate via client certificate. This is a relatively rare but useful option where you create security certs for each client machine and pair them with credentials registered with Tomcat.Be warned, though, that if the client machine goes down and gets swapped out, the swapped-in machine is going to have to have a valid cert!

A further note when using user IDs. Don't log in the same user ID from multiple machines! Tomcat will not like it and you may have corruption in your session-scope variables if you have any, plus possible cookie conflicts. Give each client a unique ID.