Configuring Basic or Digest Authentication for Tomcat-based WebDAV Server

Basic/Digest Authentication 

Important! Microsoft Office on Windows and Mac OS X as well as Windows Shell (Web Folders / mini-redirector), requires secure SSL connection when used with Basic authentication. Microsoft Office will fail to open a document via insecure connection with Basic authentication. For a workaround please see the following articles. In case of MS Office Windows: You cannot open Office file types directly from a server that only supports Basic Authentication over a non-SSL connection with Office applications. In case of MS Office on OS X: You cannot open Office for Mac files directly from a server that supports only Basic authentication over a non-SSL connection.

To configure Basic or Digest authentication using Tomcat preconfigured users/roles:

  1. Configure roles that will have access to webdav repository in /WEB-INF/web.xml file using <security-constraint> element (under <web-app> element):
    <web-app ... > 
          <!-- web resources that are protected -->
             <web-resource-name>All Resources</web-resource-name>
             <!-- All methods but OPTIONS must be authenticated. OPTIONS must work without authentication for cross domain in Firefox to work -->
              <!-- role-name indicates roles that are allowed to access the web resource specified above -->
  2. Configure roles:
    <web-app ... > 
  3.  Configure authentication:
    • For Basic authentication add following element after <security-constraint> element:
      <web-app ... > 
              <realm-name>Basic Authentication</realm-name>
    • For Digest authentication add following element:
      <web-app ... > 
               <realm-name>Digest Authentication</realm-name>  
  4. Configure users, their names, passwords and roles they belong to in <TOMCAT_HOME>/conf/tomcat-users.xml:
        <role rolename="manager"/>
        <role rolename="admin"/>
        <role rolename="administrators"/>
        <user username="admin" password="admin" roles="admin,manager"/>
        <user username="sergey" password="sergey" roles="administrators"/>

In your code, you will be able to access logged in user using request.isUserInRole method:

public List<HierarchyItemImpl> getChildren() throws ServerException {
       if (this.getEngine().getRequest().isUserInRole("administrators")){
              // list items 
              throw new ServerException(WebDavStatus.ACCESS_DENIED);

Authentication Against Custom Users Storage with Tomcat

To authenticate against your credential store using Basic or Digest authentication you need to:

  1. Implement Tomcat custom realm:
    import org.apache.catalina.realm.RealmBase;
    public class CustomRealm extends RealmBase { 
         public boolean hasRole(Principal principal, String role) { 
               //determine if principal is in role
         protected String getPassword(String username) { 
              // return password of user with name = 'username' 
         protected Principal getPrincipal(String username) { 
              return new CustomPrincipal(username); 
       class CustomPrincipal implements Principal { 
           private final String name;
           public CustomPrincipal(String name) { 
       = name; 
           public String getName() { 
              return name; 
           public String toString() { 
              return getName(); 
  2. Configure Tomcat to use Custom Realm in <TOMCAT_HOME>/conf/server.xml
    <Server ...>
        <!-- Because this Realm is here, an instance will be shared globally 
             <Realm className="org.apache.catalina.realm.MemoryRealm" /> -->
        <Realm className="CustomRealm"/>

Next Article:

Configuring LDAP (Active Directory) Authentication for Glassfish-based WebDAV Server