Sample Webapp

It is quite easy to test your setup now.

Prerequisites

Create a Servlet 3.1 compatible webapp project with a method of your choice, .e.g., Maven archetype or Eclipse project wizard. Configure the resources (authenticator and realm).

Modifying the Deployment Descriptor (web.xml)

Let's now add some security constraints to your sample webapp. Open the app's web.xml and add:

[…]
  <!-- Add these -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>general</web-resource-name>
      <url-pattern>/index.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <!-- Every authenticated user can view this page -->
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>

<security-constraint>
    <web-resource-collection>
      <web-resource-name>specific</web-resource-name>
      <url-pattern>/specific.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <!-- Every user in the $AD_GROUP can view this specific page -->
      <!-- Replace $AD_GROUP with a SID of a group or the mapped role name you are actually a member of -->
      <role-name>$AD_GROUP</role-name>
    </auth-constraint>
  </security-constraint>

<security-constraint>
    <web-resource-collection>
      <web-resource-name>bogus</web-resource-name>
      <url-pattern>/bogus.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <!-- No user can view this page -->
      <role-name>Bogus</role-name>
    </auth-constraint>
  </security-constraint>
[…]

Creating the Necessary JSPs

Create the following JSPs in the root of your webapp:

index.jsp:

[…]
Hello ${pageContext.request.remoteUser}!
[…]

specific.jsp:

[…]
Hello ${pageContext.request.remoteUser}, you are member of $AD_GROUP!
[…]

bogus.jsp:

[…]
Hello ${pageContext.request.remoteUser}, you should not see this!
[…]

Packaging and Deployment

Now package your webapp and deploy it to your remote Tomcat instance.

Verification

Open every single URL with a properly configured client like IE, Firefox, Chrome or even cURL on Windows. Your output should be as follows:

index.jsp: HTTP/1.1 200 , every user should see a response.
specific.jsp: HTTP/1.1 403 or HTTP/1.1 200 , depending whether a user is in the specific group, it should be a response or an error page.
bogus.jsp: HTTP/1.1 403 , every user should see an error page.