To define the authentication mechanism and constraints, update the security configuration defined in the web.xml file inside the web archive on the Corticon Server. In a default installation that location is [CORTICON_HOME]\Server\tomcat\webapps\axis\WEB-INF\web.xml.

Within the web.xml is a commented-out block that defines common security constraints. Uncommenting this block enables basic authentication when you restart the server. 

<security-constraint>
   <web-resource-collection>
     <web-resource-name>All Corticon SOAP Servlet Access</web-resource-name>
     <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
     <role-name>ROLE_CorticonAdmin</role-name>
   </auth-constraint>
</security-constraint>

<login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>Corticon Server Realm</realm-name>
</login-config>

<security-role>
  <role-name>*</role-name>
</security-role>
Note: If you already uncommented this section to enable HTTPS, review the web-resource-collection defined, and then add the auth-constraint block, and uncomment the login-config and security-role sections.

With the above configuration, every time a user tries to access the server through a URL, a valid username/password must be supplied and verified. You need to decide whether to restrict defined user roles to specified URLs – the endpoints that perform specific actions. That is described in the next topic.

The default user definitions for Apache Tomcat are defined in the tomcat-users.xml file (in a default installation its location is [CORTICON_HOME]\Server\tomcat\conf\tomcat-users.xml) as follows:

<role rolename="ROLE_CorticonAdmin" />
<role rolename="ROLE_CorticonExecute" />

<user username="admin" password="admin" roles="ROLE_CorticonAdmin, ROLE_CorticonExecute" />
<user username="ccuser" password="ccuser" roles="ROLE_CorticonExecute" />

You can modify the passwords and add additional users to this file.