Win a copy of Learn Spring Security (video course) this week in the Spring forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security Features in Tomcat

 
Ashik Uzzaman
Ranch Hand
Posts: 2373
Eclipse IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We are planning to go for open source projects in our web applications and chose Apache+Tomcat as a mean. I am now trying to find out the security features of Tomcat. As far my knowledge goes, Tomcat4\conf\tomcat-users.xml file is used for authentication and authorization. But we are thinking to use a database to trace the user details as well as roles and put the value in session object. I also found that Tomcat lets us use a customized security manager with policy files. So we may provide resource level security from here. How can i provide user level security using this security manager (which role gets what resources, without using tomcat-users.xml file)?
Better would be to know, how you have experienced the security of web applications in various projects.
Waiting...
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Don't ask me about the gory details right now, but the xml file is just one security realm. Tomcat allows you to set up additional security realms that take their information from anywhere -- databases, JNDI, whatever -- and associate such realms with web-applications.
The realm API is unfortunately not part of the J2EE standard, so it will be Tomcat-specific. The only way around that is to code your own security, or (better) to use an abstraction layer such as OSUser.
- Peter
- Peter
 
Steffen Foldager
Ranch Hand
Posts: 58
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The use of Realms is quite easy.
There is a great description here (onjava.com) on how to do it. Also includes a mySql-JDBC solution.
 
Tim Holloway
Saloon Keeper
Pie
Posts: 17987
47
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm quite happily using a JDBC realm in Tomcat validating against a PostgreSQL database. Even have some role-based content generation using Struts tags!
I simply read the Tomcat Realm docs and it was almost trivial.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic