Tomcat Realm Security support

[davsclaus]

For end users that use Apache Tomcat, they may want to use its simple memory realm that uses the conf/tomcat-users.xml file for setting up users.

The current security in hawtio-web is JAAS based, and that would require Tomcat users to battle with its JAAS setup
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JAASRealm

It would be nice if you could set a JVM property to tell hawtio to use the simple tomcat file, etc. Then that would be much easier to have some basic security using that conf/tomcat-users.xml file that many uses.

[davsclaus]

Yay I got a prototype up and working.

All you had to setup is
export CATALINA_OPTS='-Dhawtio.authenticationEnabled=true -Dhawtio.realm=tomcat'

And the login screen works, and login is using conf/tomcat-users.xml file.

[jstrachan]

great stuff; does the hawtio.realm=* work? (isn't that the default now when not in karaf?). So I guess we just need to enable authentication then maybe?

I wonder if there's a way to detect, if inside tomcat if it should be authenticated? It'd be nice to just do the right thing; though that might not be possible...

[davsclaus]

Yeah let us try to discover if we run in Tomcat, and it is only using the user database realm (the file stuff) then we can imply to use that, and just let end users set -Dhawtio.authenticationEnabled=true, and leave the realm as is.

[davsclaus]

Okay added some docs at
https://github.com/hawtio/hawtio/blob/master/docs/Configuration.md

We got some basic Tomcat support for using conf/tomcat-users.xml.