How do I provide basic http authentication for static tomcat webapps without changing tomcat-users.xml?

Question

I have access to the tomcat manager and can upload war-files. One of these wars is a static web project (zipped html + media files, renamed to *.war). I want add a Web-INF/w

Answer 1

If you know the directory where tomcat puts all deployed apps you can use relative paths (because they are resolved in relation to catalina.base env.variable, i.e. tomcat home).

For example, if you are deploying using eclipse IDE, usually apps are deployed in wtpwebapps, so you can use:

Not perfect yet, but at least you are not using full paths.

An alternative, would be to implement your own Realm that extends MemoryRealm and pre-processes the pathname before calling super.setPathname();

You can also go for a DataSourceRealm, which does not have this problem and its suitable for production.

For servlet container independent approach you can use a security framework based on filters (e.g. Spring security, ...)