The security of a web application's resources can be controlled either by the container or by the web application itself. The Java EE specification (previously known as J2EE) calls the former container-managed security and the latter application-managed security. Tomcat provides several different approaches for handling security through built-in mechanisms, which represent container-managed security. On the other hand, if you have a series of servlets and JSPs that have their own login mechanism, it would be considered application-managed security. In both types of security, users and passwords are managed in groupings called realms. This section details setting up Tomcat realms and using the built-in security features of Tomcat to handle user authentication.
The combination of a realm configuration in Tomcat's
conf/server.xml file and a
<security-constraint> in a webapp's WEB-INF/web.xml file define how user and role
information will be stored and how users will be authenticated for the webapp. There are
many ways of configuring each; feel free to mix and match.
In this and future sections, you will see the term context used interchangeably with web application. A context is the technical term used within Tomcat for a web application and has a corresponding set of XML elements and attributes that define it in Tomcat's server.xml file or in its own context XML fragment file.
To use Tomcat's container-managed security, you have to set ...