Meaningless Drivel is fun!
The moose likes Tomcat and the fly likes Security Features in Tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Security Features in Tomcat" Watch "Security Features in Tomcat" New topic

Security Features in Tomcat

Ashik Uzzaman
Ranch Hand

Joined: Jul 05, 2001
Posts: 2373

We are planning to go for open source projects in our web applications and chose Apache+Tomcat as a mean. I am now trying to find out the security features of Tomcat. As far my knowledge goes, Tomcat4\conf\tomcat-users.xml file is used for authentication and authorization. But we are thinking to use a database to trace the user details as well as roles and put the value in session object. I also found that Tomcat lets us use a customized security manager with policy files. So we may provide resource level security from here. How can i provide user level security using this security manager (which role gets what resources, without using tomcat-users.xml file)?
Better would be to know, how you have experienced the security of web applications in various projects.

Ashik Uzzaman
Senior Software Engineer, TubeMogul, Emeryville, CA, USA.
Peter den Haan
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
Don't ask me about the gory details right now, but the xml file is just one security realm. Tomcat allows you to set up additional security realms that take their information from anywhere -- databases, JNDI, whatever -- and associate such realms with web-applications.
The realm API is unfortunately not part of the J2EE standard, so it will be Tomcat-specific. The only way around that is to code your own security, or (better) to use an abstraction layer such as OSUser.
- Peter
- Peter
Steffen Foldager
Ranch Hand

Joined: Mar 22, 2001
Posts: 58
The use of Realms is quite easy.
There is a great description here ( on how to do it. Also includes a mySql-JDBC solution.

Steffen Foldager<p>Sun Certified Java Programmer<br />Sun Certified Web Component Developer
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17410

I'm quite happily using a JDBC realm in Tomcat validating against a PostgreSQL database. Even have some role-based content generation using Struts tags!
I simply read the Tomcat Realm docs and it was almost trivial.

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link:
subject: Security Features in Tomcat
It's not a secret anymore!