Chapter 14: Tomcat Security Security Realms The authentication
Chapter 14: Tomcat Security Security Realms The authentication mechanism descriptions detailed how the credentials used for the authentication process (for example, username and password) are obtained. However, for authentication to take place, Tomcat must also have access to the real credentials against which those sent from the browser must be compared. This section describes where Tomcat stores the actual credentials on the server and how it obtains them. Realms are the standard mechanism used for storing the credentials used by Tomcat to authenticate the client. Tomcat s Realm mechanism is an implementation of the Realm support mandated in the Servlet specification. A Realm is a standard programming interface defined in Tomcat for accessing a user s username, password, and roles. Tomcat 6 s built-in default authentication implementations (including the login mechanisms for the manager utility and the Single Sign-on Valve) depend on Realms to authenticate the user. Users and Roles The Web application security model is built around the concept of users and roles. Users are assigned to a role, which determines the resources that the user is allowed to access. For example, a Web application can declare that the resource /admin can be accessed only by users belonging to the admin role. Then, a Realm can be configured to consider the users alice and bob as belonging to the admin role. Thus, when alice and bob authenticate, they will be allowed access to /admin. The advantage of roles is that they enable the Web application to be configured independently of the permissions of the users who access the application. Using the preceding example, the deployment descriptor of the application needs to specify only that a manager role is required, and is not concerned with the identities of the users who are allowed access. The actual mapping of users to roles can be specified at deployment time and can be changed dynamically without having to change the application code. This clean separation of the authentication code from the actual method of authentication is the main advantage of Realms. This separation allows for many different ways of creating Realms. The following four built-in Realm implementations can be deployed with Tomcat 6: . File-backed, in-memory Realms . JDBC Realms . JNDI-based Realms . JAAS-based Realms In addition to these built-in Realms, it is also possible for developers to create custom Realms supplying the authentication data via arbitrary custom means. The following sections provide detailed coverage of each of the built-in Tomcat 6 Realm implementations. Where applicable, a basic deployment configuration is first described to familiarize you with the particular Realm implementation, followed by the presentation of a more secured method of deployment.
For high quality java hosting services please check tomcat web hosting website.