Authentication and Authorization using Jetty Embedded
This example shows you how to setup web application security programmatically. Firstly, we'll look at how to do it if you use a
web.xml file to declare your <security-constraint>s on urls within your webapp. Then, we'll show you how to do it in code instead, so that you don't even need to have a
For both of these examples, we need to configure jetty with a Realm. A Realm represents the runtime security environment - the users, their credentials and their roles. Jetty has a number of different Realm implementations:
- org.mortbay.jetty.security.HashUserRealm obtains information from a properties file
- org.mortbay.jetty.security.JDBCUserRealm obtains information from a database
- org.mortbay.jetty.plus.jaas.JAASUserRealm uses JAAS for authentication and authorization
For these examples, we'll be using the org.mortbay.jetty.security.HashUserRealm. There is an example of a properties file for this Realm type in
We'll be using BASIC authentication for this example, but you can also set up FORM authentication in a similar way.
Using a web.xml file for security-constraints
If you're able to use a
WEB-INF/web.xml file, you should configure it to use BASIC authentication, and to specify some urls that have security constraints. Here's an example:
It is important to note the
<realm-name>MyRealm</realm-name>. This is the linkage to the jetty Realm (a HashUserRealm in this instance). You'll specify this same name when you set up the Realm. Here's the code you need:
Programmatic security constraints (no web.xml)
If you don't wish to use a web.xml file, you can specify your <security-constraint>s in code instead. Here's how we'd code the same security constraints for the
web.xml file above:
Assuming you deployed a webapp at the context path
/mywebapp by running your application, then surfing to:
will cause a dialog box to pop up prompting you for your username and password. This is how BASIC authentication obtains your authentication information.
The example properties file in
$jetty.home/etc/realm.properties defines the following users and their roles:
Our security constraint only allows users in these roles to access it:
Therefore, using the default
$jetty.home/etc/realm.properties, only the users:
would be able to access any of the pages protected by the <security-constraint> in the webapp.
Therefore, you would log in as either the user
jetty or the user
admin (with passwords
admin respectively) to be able to access the webapp.