Password protection .htaccess like in Java web applications

Question

I have the following scenario:

I'm developing Java EE Web application running on Jboss 6.1.0 and I want to publish this application on a public server for end-user testing.

For example: http://mysite.com/testings/app1/

My question: What would be the appropriate way to protect that directory in .htaccess (Apache HTTP server) fashion, so, when my client try to access http://mysite.com/testings/app1/ be asked for a user/password combination?.

I think there are two options:

1. Configuration on the servlet server?
2. Reverse Proxy?.

I just want to clarify what would be the best practice in this situation, because for php applications the .htaccess feature fit my needs.

Answer 1

You can use spring security for that, I wrote an example in How do I do HTTP basic auth using Struts 2/ Spring 3?.

Or you can use an apache httpd server "above" jboss (using rewrites and proxy) so that users access you site via apache, and apache forwards to jboss (that would only listen on localhost). Here is an example rewrite rule to forward "www.mysite.com" to web application "myapp" with AJP connector on port 8009:

<VirtualHost www.mysite.com:80 >
    RewriteEngine on
    RewriteCond %{HTTP_HOST} www\.mysite\.com
    RewriteRule ^/(.*)$ ajp://localhost:8009/myapp/$1 [P,QSA,L]
</VirtualHost>

And then you can use the apache auth system, for example to protect all admin/* pages:

<Proxy ajp://localhost:8009/myapp/admin/* >
    Order deny,allow
    Allow from all
    AllowOverride AuthConfig
    AuthType Basic
    AuthName "Admin"
    AuthUserFile /etc/apache2/passwd/admin.passwd
    Require valid-user
</Proxy>