I’ve done a few articles now on Atom Hopper which is an open source project hosted on GitHub. Up until now though Atom Hopper has been left open to world if you are not inside of a private network (which of course could be the case). This is not always ideal to allow anyone to POST new ATOM entries. Today I’ll show you how to setup Apache Tomcat with Atom Hopper so that you must provide credentials to POST, but anyone can call the GET.
If you haven’t worked through my last article on Tomcat basic authentication then now would be a good time. Also, you probably want to read my other articles on Atom Hopper first or this won’t make much sense as I assume in this article you’ve read those already. I will assume you already have the Atom Hopper WAR file built and ready to go. I am also assuming you’ve used the prior article to build the MySQL table. In addition you will need to make the changes in that article to the server.xml file, etc.
With all the steps done in the prior article, take the newly built Atom Hopper WAR file and rename it to: ROOT.war
Copy the ROOT.war file into the Tomcat webapps folder (if a ROOT folder already exists you can either delete it or just keep the original name of the Atom Hopper WAR file but you will need to modify the upcoming steps).
Ensure you have added all the changes to the server.xml file and context.xml file.
With the ROOT.war file now in the webapps folder start Tomcat and let it extract the ROOT.war file. Go into the ROOT/WEB-INF folder now and find the web.xml file and open it up. Add the following to the file:
<security-constraint> <web-resource-collection> <web-resource-name>Wildcard means whole app requires authentication</web-resource-name> <url-pattern>/*</url-pattern> <http-method>POST</http-method> <http-method>DELETE</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>authenticated</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>authenticated</role-name> </security-role> <login-config> <auth-method>BASIC</auth-method> <realm-name>tomcat_realm</realm-name> </login-config>
Notice how I left out the:
This means the basic authentication will only apply to POST, DELETE, or PUT. Anyone can get an Atom Hopper feed but only authenticated users can POST new data.
Save the file. Go grab the MySQL JDBC driver and extract the jar file to the Tomcat lib folder.
Using Poster you can now test everything out.
You should see that you need to authenticate for a POST but not for a GET. You’ve now setup Atom Hopper to only allow authenticated users to create new feed entries.
One final point to make is that unless you use SSL the username and password in this technique will be sent over clear text. You should also look into implementing the LockOutRealm to assist in protecting from brute force scripted attacks.