I have a number of web applications running in a Tomcat instance.
They are fronted by an Apache instance, using mod_proxy.
Each web application is a silo in and of itself, each with its own user credential store and user authentication and authorisation. I want to continue using that.
However, I would like to apply simple password protection at the Apache level - maybe just a single known username/password using Basic Auth - before the requests are forwarded on to the Tomcat instance. Is this possible? and how can this be done?
You can do this within the <Location> directive
Example:
ProxyPass /mytomcatapp http://localhost:8080/app1
<Location /mytomcatapp>
AuthType Basic
AuthName "Wrapper auth"
AuthBasicProvider file
AuthUserFile "/path/to/users.htpasswd"
Require valid-user
</Location>
This will give you HTTP Basic Auth when hitting yoursite.com/mytomcatapp