A couple of times now I’ve had to add password authentication to the Jetty Web server. Once for an installation of cruisecontrol and once for for an apache solr installation.

I’m used to just adding password authentication to a .htaccess file in apache configuring Jetty is a little more complicated but not much more. There are already many good how tos out there but if you don’t know what you are looking for and the keywords are: jetty security-constraint.

For the record here is how I did it:

In the web.xml of your web app e.g. cc-config/WEB-INF/web.xml inside the webapp definition you can put something like this

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Resouce</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>user</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Test Realm</realm-name>
  </login-config>

This says you need to be a member of role user to be able to view anything in the webroot. It also says use basic http aithentication for the user realm Test Realm.

Then alter etc/jetty.xml to make sure it includes something like:

    <Set name="UserRealms">
      <Array type="org.mortbay.jetty.security.UserRealm">
        <Item>
          <New class="org.mortbay.jetty.security.HashUserRealm">
            <Set name="name">Test Realm</Set>
            <Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
            <Set name="refreshInterval">0</Set>
          </New>
        </Item>
      </Array>
    </Set>

You may just need to uncomment the above section from an example.

Finally set the pass word in etc/realm.properties with line like this

username: MD5:md5hash,user

Where md5hash is a hash you generated by some means.