Securing the Open Source Portal

5 min

This page is relevant for Open Source users only. Essential OS security is limited in that you can either allow people access or not. Unlike Essential Cloud, you cannot control access to specific views or data by user/role.

This tutorial describes how you can apply access control to Essential Viewer, securing it for use by authorised users only.

If you wish to control access to the analysis reports of Essential Viewer, set up the required user accounts as follows:

Define Essential Viewer Users

Edit the /conf/tomcat-users.xml file to create user accounts that have the report_viewer role. e.g.

   <user roles="report_viewer" password="viewer" username="architect"></user>

Enable Security Constraints

To enable the user authentication, you must enable the security constraints in each Essential Viewer application.

This is done by editing the web.xml file that controls Essential Viewer. This is located in the WEB-INF sub-folder of each Essential Viewer deployment in your Java Application Server. e.g. on Apache Tomcat, this is in webapps/

Go to the WEB-INF folder of your selected Essential Viewer deployment.

  • Open the file 'web.xml' for editing – you can do this in Notepad or any other text editor.

  • Scroll to the bottom of the file and you will see the following section of XML:


Entire Application


  • Remove the opening comment [ <!-- ] from the line before the <security-constraint>tag

  • Remove the closing comment [ --> ] from the line after </auth-constraint> tag a couple of lines down.

  • Repeat this to remove all the opening and closing comments that appear in the first column of the file until the security section looks like:


Entire Application


Tomcat Manager Application

The role that is required to log in to the Essential Viewer Application


This switches on authentication control for all URLs in the application. This includes the publishing service as well as the Viewer itself but each uses the same access control list / security configuration.

By default, this will enable Tomcat BASIC AUTHENTICATION and any user with the role "report_viewer" [as defined in the tag] can access the site. As we discussed, the user list is maintained in the tomcat-users.xml document, although Tomcat can be integrated with LDAP services.

Restart Java Application Server

After making these changes, restart the Tomcat service.

These user names and passwords will now also be required when publishing your architecture from the Essential Architecture Reporting tab in Protege.

Updated 31 October 2023

Contact Us