Tomcat-based authentication methods

Warning

Tomcat-based authentication is deprecated as of EDG 8.0 and will be removed in a future release.

With these authentication methods, authentication is handled by, and configured in, the web application container (Tomcat). The container is responsible for account management. Credentials are handled and verified only by the container. EDG is only responsible for displaying the login form, login error messages, and logout link.

Considerations

Tomcat-based authentication is deprecated as of EDG 8.0 and will be removed in a future release. It should not be used for new deployments.

There are two Tomcat-based authentication methods: form and basic. They are analogous to the EDG-native authentication methods Form Authentication and HTTP Basic Authentication. These should be used instead, and existing deployments should be migrated as soon as practical.

Note that the EDG-native methods can be combined, using form as the value for endUserAuthMethod and basic as the value for apiAuthMethods.

Configuring

To enable a Tomcat-based authentication method, add or uncomment in the setup file (edg-setup.properties):

# For Tomcat-based form authentication
authMethod = form

# For Tomcat-based HTTP basic authentication
authMethod = basic

Make sure that no endUserAuthMethod or apiAuthMethods are defined, as these cannot be used together with Tomcat-based authentication.

User management

User accounts are defined in tomcat-users.xml, usually found in Tomcat’s conf directory.

Note

In EDG Studio, the file is found in conf/users.xml.

An example is below:

<role rolename="admin"/>
<role rolename="manager"/>
<role rolename="editor"/>
<role rolename="viewer"/>
<user username="Admin_user" password="password32" roles="admin,manager"/>
<user username="Editor_user" password="password54" roles="editor"/>
<user username="Guest" password="password76" roles="viewer"/>

The roles defined here must match those defined in the edg-setup.properties file under securityRoles, case-sensitive.

Authenticating API requests

Refer to the documentation for the equivalent EDG-native authentication methods, Form Authentication and HTTP Basic Authentication, for information on API client authentication.