How to secure the default page of Tomcat?

Question

I want to make the default page of my Tomcat7 server private, i. e. accessible only after .htaccess password has been entered.

I mean this page:

For that purpose, I added:

<user username="admin" password="admin" roles="manager-gui"/>

to tomcat-users.xml.

Then I added:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Application</web-resource-name>
        <url-pattern>/references/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

<!-- Define the Login Configuration for this Application -->
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Application</realm-name>
</login-config>

<!-- Security roles referenced by this web application -->
<security-role>
    <description>
    The role that is required to log in to the Manager Application
    </description>
    <role-name>admin</role-name>
</security-role>

to webapps/ROOT/WEB-INF/web.xml.

But when I open the default page, htaccess dialog box still doesn't appear.

What am I doing wrong?

Answer 1

Look at your <url-pattern>, it is pointing to /references/* (which doesn't exist in the ROOT folder) The typical Tomcat setup the welcome page is in the root folder so the <url-pattern> should be pointing to /*.