Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes Tomcat and the fly likes Security Features in Tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA Java SE 8 Programmer I Study Guide this week in the OCAJP 8 forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Security Features in Tomcat" Watch "Security Features in Tomcat" New topic
Author

Security Features in Tomcat

Ashik Uzzaman
Ranch Hand

Joined: Jul 05, 2001
Posts: 2373

We are planning to go for open source projects in our web applications and chose Apache+Tomcat as a mean. I am now trying to find out the security features of Tomcat. As far my knowledge goes, Tomcat4\conf\tomcat-users.xml file is used for authentication and authorization. But we are thinking to use a database to trace the user details as well as roles and put the value in session object. I also found that Tomcat lets us use a customized security manager with policy files. So we may provide resource level security from here. How can i provide user level security using this security manager (which role gets what resources, without using tomcat-users.xml file)?
Better would be to know, how you have experienced the security of web applications in various projects.
Waiting...


Ashik Uzzaman
Senior Software Engineer, TubeMogul, Emeryville, CA, USA.
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
Don't ask me about the gory details right now, but the xml file is just one security realm. Tomcat allows you to set up additional security realms that take their information from anywhere -- databases, JNDI, whatever -- and associate such realms with web-applications.
The realm API is unfortunately not part of the J2EE standard, so it will be Tomcat-specific. The only way around that is to code your own security, or (better) to use an abstraction layer such as OSUser.
- Peter
- Peter
Steffen Foldager
Ranch Hand

Joined: Mar 22, 2001
Posts: 58
The use of Realms is quite easy.
There is a great description here (onjava.com) on how to do it. Also includes a mySql-JDBC solution.


Steffen Foldager<p>Sun Certified Java Programmer<br />Sun Certified Web Component Developer
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17149
    
  27

I'm quite happily using a JDBC realm in Tomcat validating against a PostgreSQL database. Even have some role-based content generation using Struts tags!
I simply read the Tomcat Realm docs and it was almost trivial.


An IDE is no substitute for an Intelligent Developer.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security Features in Tomcat
 
jQuery in Action, 3rd edition