IntelliJ Java IDE
The moose likes Tomcat and the fly likes security on tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Reply Bookmark "security on tomcat" Watch "security on tomcat" New topic
Author

security on tomcat

Rema Remulta
Ranch Hand

Joined: Apr 03, 2002
Posts: 51
posted private message
0
Quote
Hi everyone,
How to implement security mechanism on tomcat or something like an administrative tool that manages the access of the user on a certain app deployed in the tomcat web server? There should be a way to log all users currently accessing the server and implement a permission to the client whether it is allowed to access the server or not. If there is such an add-on security tool for tomcat web server, is it downloadable and where can it be found?
Cheers,
Rema
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

I like...
IntelliJ IDE Java Ubuntu
posted private message
0
Quote
As part of the Servlet spec, servlet containers must implement container-managed security.

I'd read up the Servlet specification about this feature of all containers.

As for Tomcat, there are two pieces of documentation of interest:
Configuring Realm Component
Configuring Realm Component - The Sequel

So that's one option: Use built-in tools for this purpose.

The other way is "roll your own", and honestly, there's just so many good ways of doing this. Make your "login.jsp" page. Do your own processing and stick a 'user' object into the session. On every page that requires a logged-in user and/or certain permissions, check for the user object in the session and check what permissions it has. If they don't have enough, redirect them to the login page with a nice message. If they're good, then let the process continue. That's the basic idea.

As for logging who is accessing the server... there is no "spec" coverage of this topic, but there are still a number of ways to handle this. Something I do in one of my applications is use a logging package (log4j) to log the current user. This does not relate to Realms though, I've used my own security implementation (somewhat like described above), and it's as simple as a call to:

logger.info ("User " + user.getName() " made xxxxxx request");

my logger is set up to timestamp and provide the class and method name the logger call was invoked from . "user" is my user object spoken of earlier, and getName() gives me the username of the logged-in user.

It occurs to me you might also implement a logging filter. The filter would do nothing but grab the user from the session and output a timestamp, their name and the URL they accessed. Kinda like a web log, but with usernames.
 
IntelliJ Java IDE
 
subject: security on tomcat
 
Threads others viewed
Security Implementation in Tomcat 6
setting tomcat port on www....
Consuming SOAP
File System Access.
netbeans bundled with tomcat
developer file tools