RSS Feed with Basic Authentication in Apache Tomcat

This is just a summary of a small project I got lately involved in: creation of a RSS feed which authenticates the user upon access.

This has a variety of applications:¬† most RSS feeds on the Internet are public stream of information (news, blogs) but in an enterprise environment that’s not really an option, information is confidential and must be delivered to users according to well established privileges and security rules.

Writing the Feed source

Here is a simple project with all code/config presented above.

The actual feed implementation is done with Rome, an open source project for reading and publish RSS/Atoms feeds in various formats.

Why Rome? Well, it is the “de facto” standard in the Java world, it is simple to use and supports most of the syndication formats.

// create Feed object
 SyndFeed feed = new SyndFeedImpl();
 feed.setTitle("Documents for user: " + userName);
 feed.setDescription("Here are all personal documents of " + userName);
// add entries

Enabling Basic Auth

This is done in the web.xml

<!-- HTTP Basic Authentication: protecting RSS feed -->
   <web-resource-name>RSS Feed</web-resource-name>

As you can see the authentication method is specified (BASIC) together with the url to protect (/rss/*) and a role.

Tomcat Configuration

In conf/tomcat-users.xml enable the users who will access the information

<?xml version='1.0' encoding='utf-8'?>
 <role rolename="rss-protected-users"/>
 <role rolename="tomcat"/>
 <user username="tomcat" password="tomcat" roles="tomcat"/>
 <user username="beppe" password="ciao" roles="rss-protected-users"/>

Accessing the Feed

Deploy your war file, apply the various configurations, then from the web browser invoke:


You should get prompted for credentials (as set in tomcat-users.xml), and here you go.

Going further

Instead of accessing the feed via the web browser you can use any other RSS reader (desktop, web or portal) as long as it supports basic authentication. Unfortunately sometimes those clients claim to support BASIC Auth, but fail to work.

I will publish later a list of RSS client readers which I will have successfully tested (this is the next phase of the project)

Oracle OID: I have also connected the web app (feed) to the Oracle LDAP server (OID), this is awesome as it allows to authenticate users against an LDAP server (rather than maintaining the Tomcat users). Drop me a line if you are interested in the config settings.

Last tip: as per Java EE specs only one <login-config> element is allowed in the web.xml therefore you cannot have a feed authenticating with Http Basic Auth and the rest of the application (web service?) using a different mechanism (FORM or CERT). Not ideal IMO, but eventually I ended up creating 2 different WAR files sharing the same business  logic which is not a big deal (no code duplication, 2 different simple deployments).


Find here a simple (Maven) project with source and configurations discussed above.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: