Setting up HTTP auth protecting a Tomcat servlet


In my last blog post I covered a custom Java servlet running on Tomcat that gives statistics on current active users using a Java application running on the Tomcat server.

You may realize that this servlet, or any Tomcat servlet/application is world-readable, and you may want to protect it with a password.

There are several ways you can password protect it. For example, you could simply create an input form where a password is entered, and only then display the information. Or add an authentication string to the URL, or add custom HTTP headers which the servlet reads.

This blog post covers the simple old school HTTP authentication, where the browser pops up a username/password dialog box to the user.

You can adopt the code below in your Tomcat servlet class:

public class MyClass extends HttpServlet {
 private HashMap < String, String > validUsers = new HashMap < String, String > ();

 public void init(final ServletConfig config) throws ServletException {
  validUsers.put("myuser:mypassword", "authorized");

 public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
  String auth = request.getHeader("Authorization");
  if (!authenticate(auth)) {
   response.setHeader("WWW-Authenticate", "BASIC realm=\"My Website Auth\"");

  } else {
   //User authenticated, allow them in and serve protected content here

 private boolean authenticate(String auth) {
  if (auth == null)
   return false;

  if (!auth.toUpperCase().startsWith("BASIC "))
   return false;

  String userpassEncoded = auth.substring(6);
  String userpassDecoded = new String(DatatypeConverter.parseBase64Binary(userpassEncoded));

  if ("authorized".equals(validUsers.get(userpassDecoded)))
   return true;
   return false;


As you can see, the servlet code first looks for an “Authorization” HTTP header, if not present it sends a standard response code, which causes the browser to prompt the user. The username/password are then transmitted to the servlet, which supports the standard BASIC authentication, with the username/password base64 encoded. The servlet then matches the username/password to a HashMap of configured users we’ve defined in the init() method.

Pretty simple!

Leave a Reply