Amazon EC2 Elastic Beanstalk Basic Authentication

I wanted to set up a secure update center for a NetBeans Platform application Tetrad IT is working on. I also wanted to play with Amazon EC2…

As the update center is for Tetrad staff only I wanted to do the simplest thing that would work, so I used the MemoryRealm to store user credentials in Tomcat. I also wanted to be able to update the user credentials by deploying the WAR and not have to mess about with the Tomcat configuration files.

For the impatient, the EC2 specific portion of the setup is here.

Tell your application it needs security
To tell you web application how to secure itself you configure the web.xml.

The security-constraint section tells the application to allow only users with the role netbeans-application to access the updates folder. The login-config section indicates that basic authentication is to be used. security-role defines the role we’ll be using.

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <security-constraint>
        <display-name>UserConstraint</display-name>
        <web-resource-collection>
            <web-resource-name>UserConstraint</web-resource-name>
            <description/>
            <url-pattern>/updates/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>netbeans-application</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>file</realm-name>
    </login-config>
    <security-role>
        <description>NetBeans Platform application role</description>
        <role-name>netbeans-application</role-name>
    </security-role>
</web-app>

Who gets through security
Normally you would edit the tomcat-users.xml file in the Tomcat conf directory. Instead we’ll create a users.xml file in the web application WEB-INF directory. This file contains the credentials of the users who will be given access to the updates directory.

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
    <role rolename="netbeans-application"/>
    <user username="user1" password="password" roles="netbeans-application"/>
    <user username="user2" password="password" roles="netbeans-application"/>
    <user username="user3" password="password" roles="netbeans-application"/>
</tomcat-users>

Where to find the users
Your application is not looking for the user credential information in users.xml by default. To show your application where to find the user information create the file context.xml in the META-INF directory of your web application.

The important part to note is the pathname attribute. As far as I can tell it needs to be an absolute path as all non absolute paths are relative to the Tomcat directory. This particular path is specific to the Elastic Beanstalk default setup.

<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/EC2Example">
    <Realm className="org.apache.catalina.realm.MemoryRealm" pathname="/opt/tomcat7/webapps/ROOT/WEB-INF/users.xml"/>
</Context>

Wrapping up
Your web application structure should look something like this:

Web application structure

Web application structure

Pointing your NetBeans Platform application toward the secure update center should result in you being asked for a username and password:

Update Center Authentication Popup

Update Center Authentication Popup

This entry was posted in Programming and tagged , , , , , , . Bookmark the permalink.

3 Responses to Amazon EC2 Elastic Beanstalk Basic Authentication

  1. Mike says:

    I just used this. It worked perfectly the first time.

    In order to have it work on my windows dev box, obviously without /usr/share/tomcat6/webapps, I used a maven profile to include context.xml and users.xml when I build for deploy.

    Also, I’m not sure where your /opt path came from. Using the 64bit Amazon Linux running Tomcat 6 stack, I used

    • Michael says:

      I’m glad it worked! Nice tip on the Maven build.

      Mine’s a 32 bit Tomcat 7 instance. I don’t have a Tomcat directory in /usr/share. Must be a difference in AMIs.

  2. Mike says:


    <?xml version="1.0" encoding="UTF-8"?>
    <Context antiJARLocking="true" path="/">
    <Realm className="org.apache.catalina.realm.MemoryRealm"
    pathname="/usr/share/tomcat6/webapps/ROOT/WEB-INF/users.xml"/>
    </Context>

Leave a Reply

Your email address will not be published. Required fields are marked *