Configure the Delivery Tier to Use Basic Authentication
Introduction
Goal
Configure the delivery tier to use HTTP Basic authentication.
Background
Hippo's delivery tier is configured for form-based authentication by default. This page describes how to configure HTTP Basic authentication instead.
BASIC Authentication Configuration
To use Basic authentication instead of form-based authentication, replace the default FormAuthenticator valve with the BasicAuthenticator valve in your application context configuration:
site/src/main/webapp/META-INF/context.xml
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" />
In the site module's web.xml, replace the default security-constraint and login-config elements with ones similar to those in the following example:
site/src/main/webapp/WEB-INF/web.xml
<security-constraint> <web-resource-collection> <web-resource-name>Preview</web-resource-name> <url-pattern>/preview/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>everybody</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>HSTSITE</realm-name> </login-config>
The configuration above sets the protected web resource path ( /preview), which is protected by the servlet container with enabling BASIC Authentication. Also, only for demonstration purpose, the default role, ' everybody', is required for the protected web resource path ( /preview).
Please note that you should configure all the URL paths to protect when you are using BASIC Authentication option. Please see SRV.12.8 in the Servlet Specification for more detail.
Now, if you restart your application, you can test the login.
Visit the /preview page path. For example: http://localhost:8080/site/preview.
Your browser will pop up a login dialog. Enter a CMS username and password to sign in. You will be authenticated.
In your custom delivery tier components, you can check if the current user is authenticated by using HttpServletRequest#getUserPrincipal(). If the method returns a non-null value, the current user is authenticated!
If you enter a wrong user name or password, then the servlet container will return an HTTP 401 error.