We are planning to go for open source projects in our web applications and chose Apache+Tomcat as a mean. I am now trying to find out the security features of Tomcat. As far my knowledge goes, Tomcat4\conf\tomcat-users.xml file is used for authentication and authorization. But we are thinking to use a database to trace the user details as well as roles and put the value in session object. I also found that Tomcat lets us use a customized security manager with policy files. So we may provide resource level security from here. How can i provide user level security using this security manager (which role gets what resources, without using tomcat-users.xml file)? Better would be to know, how you have experienced the security of web applications in various projects. Waiting...
Ashik Uzzaman Lead Member of Technical Staff, Salesforce.com, San Francisco, CA, USA.
Don't ask me about the gory details right now, but the xml file is just one security realm. Tomcat allows you to set up additional security realms that take their information from anywhere -- databases, JNDI, whatever -- and associate such realms with web-applications. The realm API is unfortunately not part of the J2EE standard, so it will be Tomcat-specific. The only way around that is to code your own security, or (better) to use an abstraction layer such as OSUser. - Peter - Peter
I'm quite happily using a JDBC realm in Tomcat validating against a PostgreSQL database. Even have some role-based content generation using Struts tags! I simply read the Tomcat Realm docs and it was almost trivial.
An IDE is no substitute for an Intelligent Developer.