How to Turn on Basic Server-side Authentication for Lucee

Here’s the instructions I use whenever I need to remember how to set up basic server-side authentication on a Lucee server. These are really instructions for Apache Tomcat, which Lucee uses as its web server.

This is something I often do for development sites, but not production. It will allow your Lucee website to authenticate against a static file of users.
(If you are looking for a way to do this dynamically one option is to connect your website to Active Directory. This is how our production sites are configured and I’ve documented the process here.)

If you’re like me and migrating from Apache Webserver this process is similar to adding users to a password file using the htpasswd command.

First we will create an xml file with our user data. Store this outside of your web root! The format looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns=""
              xsi:schemaLocation=" tomcat-users.xsd"
	<role rolename="canaccessMYAPP"/>
	<user username="gaspard" password="abcd1234" roles="canaccessMYAPP"/>

The userstore ends up being global within Tomcat, so I’ve made the security role specific to MYAPP. Later on you’ll see how I use this in the web.xml to control access to only MYAPP.

In our server.xml file, now we will tell Tomcat about our file with the user data by making an entry inside the <GlobalNamingResources> tag.

    <Resource name="UserDatabase" auth="Container"
              description="User database that can be updated and saved"
              pathname="conf/tomcat-users.xml" />
	<Resource name="MY_APP_UserDatabase" auth="Container"
              pathname="C:\MY_APP-users.xml" />

(you can remove the default user store on lines 2-6)

Now that we’ve told Tomcat about our XML file with user data, let’s tell Tomcat that this file is available within the engine.

<Engine name="Catalina" defaultHost="">
      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
		<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="MY_APP_UserDatabase"/>
<Host name="MY_APP.test" appBase="webapps" unpackWARs="true" autoDeploy="true" >
		<Context path="" docBase="C:\wwwroot\MY_APP\public_html\" />
		<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" />


We’ve also defined our host within the <engine> area. You can read more about that here.

Now lets tell our website to authenticate against our list of users. In our web.xml we will add the following:

<web-app xmlns:xsi="" 
id="WebApp_ID" version="3.1">

As I said at the start, I usually only use this for dev environments. But if you have multiple user files for multiple web apps on one server the user accounts are global. We don’t want the users from MYAPP #1 getting access to MYAPP #2. In the above example I am controlling access by stating that this website only allows users with “canaccessMYAPP”. If I had a second user database I would make a role for those users called “canaccessOTHERAPP” and configure that web.xml to only allow the users with that role to access.

Hope some of you find this useful!