Restrict Access to Your Tomcat Web Application

By | October 31, 2013

 Tomcat securityIs it possible to have too much security while running your own app? Nowadays, applications are a common target of potential attacks and vulnerabilities. As a result, having the ability to restrict access to your application is critical for your business.

In this article we will address how to protect an application running on a Tomcat server in Jelastic. We recommend two possible solutions on how to restrict access to your app by requesting the user authentication or just denying the access for specified IP addresses. You can choose one of them or use both methods together.

With the authentication settings, you can specify several users and provide them different levels of access by stating the roles. And, if you’re aware of harmful actions targeted to your app from specific IP addresses – simply restrict access per abuser.

Let’s get started and share the required configurations step-by-step.


To request the user authentication for accessing your web-application with a Tomcat server, perform the following actions:

1. Navigate to the environment where your application is deployed. Click the Config button for your Tomcat server.

2. Open the server folder and select the tomcat-users.xml file.

3. Add new users with the required credentials and roles. Save the changes.

For example:

<user username="test" password="test" roles="admin"/>
<user username="test1" password="test1" roles="user"/>


4. Go to the web.xml file in the same folder and specify the security constraint for the newly created user.


 <realm-name>Test Realm</realm-name>


5. Save the changes and Restart your Tomcat server.

As a result, while accessing the application, a user will be requested to authenticate.


Client IP Address Access Deny

In order to set the access deny to your web-application for the certain client IP addresses follow the next steps:

1. Navigate to the environment with your application deployed. Press Config button for the Tomcat server.

2. Go to the webapps/META-INF folder and open the context.xml file.

3. Add the following strings to the context.xml file as it is shown in the picture below:

<Context antiJARLocking="true" path="/">
 <Valve className="org.apache.catalina.valves.RemoteIpValve" />
 <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="{IP_address}" />



If there is no context.xml file in your webapps/META-INF folder, you need to create it, add all the above mentioned strings and restart your Tomcat server for the changes to be applied.

4. Save the changes and Restart your Tomcat server.

Subsequently, the user with the denied IP address will see the HTTP Status 403 while trying to access your application.


We hope this article is a useful guideline. As you can see, only a few simple steps are required to protect your app from abusive users. These are just some basic settings that can be implemented to make your web application more secure. If you are interested in additional methods of protection, feel free to leave your comments below stating the problem you want to solve.

Subscribe to get the latest updates