How to Turn on Basic Server-side Authentication for Lucee

Here’s the instructions I use whenever I need to remember how to set up basic server-side authentication on a Lucee server. These are really instructions for Apache Tomcat, which Lucee uses as its web server.

This is something I often do for development sites, but not production. It will allow your Lucee website to authenticate against a static file of users.
(If you are looking for a way to do this dynamically one option is to connect your website to Active Directory. This is how our production sites are configured and I’ve documented the process here.)

If you’re like me and migrating from Apache Webserver this process is similar to adding users to a password file using the htpasswd command.

First we will create an xml file with our user data. Store this outside of your web root! The format looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
	<role rolename="canaccessMYAPP"/>
	<user username="gaspard" password="abcd1234" roles="canaccessMYAPP"/>
</tomcat-users>

The userstore ends up being global within Tomcat, so I’ve made the security role specific to MYAPP. Later on you’ll see how I use this in the web.xml to control access to only MYAPP.

In our server.xml file, now we will tell Tomcat about our file with the user data by making an entry inside the <GlobalNamingResources> tag.

  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
			  
	<Resource name="MY_APP_UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"            
               factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="C:\MY_APP-users.xml" />
  </GlobalNamingResources>

(you can remove the default user store on lines 2-6)

Now that we’ve told Tomcat about our XML file with user data, let’s tell Tomcat that this file is available within the engine.

<Engine name="Catalina" defaultHost="127.0.0.1">
      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
		<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="MY_APP_UserDatabase"/>
      </Realm>
<Host name="MY_APP.test" appBase="webapps" unpackWARs="true" autoDeploy="true" >
		<Context path="" docBase="C:\wwwroot\MY_APP\public_html\" />
		<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" />
		</Host>

    </Engine>

We’ve also defined our host within the <engine> area. You can read more about that here.

Now lets tell our website to authenticate against our list of users. In our web.xml we will add the following:

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns="http://xmlns.jcp.org/xml/ns/javaee" 
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" 
id="WebApp_ID" version="3.1">
	<display-name>test</display-name>
	<welcome-file-list>
		<welcome-file>index.html</welcome-file>
		<welcome-file>index.htm</welcome-file>
		<welcome-file>index.cfm</welcome-file>
		<welcome-file>default.html</welcome-file>
		<welcome-file>default.htm</welcome-file>
		<welcome-file>default.cfm</welcome-file>
	</welcome-file-list>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name></web-resource-name>
			<url-pattern>/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>canaccessMYAPP</role-name>
		</auth-constraint>
	</security-constraint>
	<security-role>
    <role-name>canaccessMYAPP</role-name>
  </security-role>
	<login-config>
		<auth-method>BASIC</auth-method>
	</login-config>
</web-app>

As I said at the start, I usually only use this for dev environments. But if you have multiple user files for multiple web apps on one server the user accounts are global. We don’t want the users from MYAPP #1 getting access to MYAPP #2. In the above example I am controlling access by stating that this website only allows users with “canaccessMYAPP”. If I had a second user database I would make a role for those users called “canaccessOTHERAPP” and configure that web.xml to only allow the users with that role to access.

Hope some of you find this useful!

Frame off restoration of a classic 2012 Radio Flyer All-Terrain Wagon

Oh man. I’m old now but back in the day growing up we all wanted one of these. Old man Smith had one with an extra pair of chrome bumpers and tail fins that scraped the sky. Sure they got 4 gallons to the mile, but gas was a nickle a tank and these wagons were the coolest.

Now that I’m older, I scouted around the collector sites looking for a low mileage wagon. I kicked the tires on a few, but it wasn’t until I saw this one that I knew I had found the perfect restoration project.

It was a barn find. Another tale of a young kid putting his wagon in the back of a barn and forgetting about it.

It was is perfect condition considering its age, 12 long years. The deck had rotted out, the paint was flaking, all the chrome had been stolen, and the gold lug nuts had been been lost at some point in the past, but the soul of the wagon was still there.

I got to work. I started by first sanding down the frame with 5 grit sandpaper and easing slowly into 1000k grit for a smooth finish. Unfortunately there was not much left but sawdust after this. But it was factory original sawdust.

Once I had smoothed out the frame I brought in to the professionals for an acid bath and finally a blessing at a Shinto temple to ward off evil spirits.

After that the difficult work of assembling a numbers-matching frame-off restoration began.

The dealer sheet says the wagon should’ve come from the factory with the XLG21 Sports package, but after further investigation this was most likely installed afterwards by the dealer and was in fact the GXL20 Sportsman’s package which was a mid year replacement for the popular PLX67 package. The “G” stands for gold. You can tell the difference easily if you still have the gold lug nuts as the former package uses a star pattern while the latter package uses a standard 1 lug pattern. As i did not have the gold lug nuts I could not determine the package. Instead I decided to use the VIN as the guide for this restoration. And that meant no gold lug nuts, no chrome. Just the stock wheels. It would be a sleeper.

A similar vintage Radio Flyer ATW with XLG21 Sports package. Note the gold lug nuts

First thing was to replace the deck. The original was 1/4in plywood, but I only had 1/2inch. The wagon will be sturdier than the day it came from the factory.

Now to put the wheels on…

More reassembly…

She’s looking good.

To really finish this project I just need to apply a five coats of paint and 678 coats of polyurethane. But for now I have my summer driver!