Using Tomcat Basic Auth with new WebApplicationInitializer

Question

OK so I've previously used this technique with classic web.xml, but am having trouble getting it to work now that I'm using the WebApplicationInitializer.

My WebApplicationInitializer includes this code:

HttpConstraintElement constraint = new HttpConstraintElement(
        TransportGuarantee.NONE,
        new String[]{"sponsorUsers"});
ServletSecurityElement servletSecurity =
        new ServletSecurityElement(constraint);
dispatcher.setServletSecurity(servletSecurity);

I'm trying to require basic auth (username+password) for any http methods for any resource request within the servlet. All I get back is a 403 - no prompt for the username. My suspicion is that I need to set the auth-method to BASIC, as I would in xml:

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>User Auth</realm-name>
</login-config>

But don't see the equivalent in the Java classes. Any help? Thanks!

Answer 1

A WebApplicationInitializer is basically the Spring extension of Servlet 3.0 ServletContainerInitializer.

There are a few things you cannot do with ServletContainerInitializer, or ServletContext to be more specific, and one of them is to configure some security components, ex login-config.

Instead you can have both a ServletContainerInitializer and a web.xml using the attribute metadata-complete set to false. For example,

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    metadata-complete="false" version="3.0">

In which you then add your <login-config> element.