We need define security roles in web.xml.

Here, security-role operator created by adding following into web.xml

                  <description>Application USER</description>

Then define the resource path  Uniform Resource Identifier (URI) for which security to be applied


        	<web-resource-name>Secured Path</web-resource-name>

<!-- CONFIDENTIAL - will redirect from http:// to https:// -->

Now Goto tomcat/conf/server.xml

In production, it’s recommended to set the transport guarantee to “CONFIDENTIAL“, so that any access to resources via normal http request, such as http://localhost:8080/application/resourcepath, Tomcat will redirect the request to https request https://localhost:8443/application/resourcepath. Of course, the redirect https can be configure in The Tomcat’s conf/server.xml.

Then define auth-method type in deployment descriptor web.xml


Goto tomcat-users.xml, define user for the role defined in the project deployment descriptor here it is operator.

<user username="appuser" password="123456" roles="operator"/>


Configure security realm in $Tomcat/conf/server.xml file. In this case, uses default UserDatabaseRealm to read the authentication information in $Tomcat/conf/tomcat-users.xml.


  <Resource name="UserDatabase" auth="Container"
            description="User database that can be updated and saved"
            pathname="conf/tomcat-users.xml" />

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"


Once everything is set restart the tomcat instance & deploy the application.

Check the uri



should prompt for password. then enter the password you mentioned in the tomcat-users.xml, ie., here appuser / 123456

<user username="appuser" password="123456" roles="operator"/>