Tomcat comes out of the box with the following security realms, i.e. modules that does Authentication and Authorization.
|Name||CIS Tomcat 8 Benchmark Note *|
|JDBCRealm||NOT for Production|
|UserDatabaseRealm||NOT for Large-Scale Installations|
|MemoryRealm||NOT for Production|
|JAASRealm||NOT widely used and therefore the code is not as mature as the other realms.|
This leaves us with only two production ready realms: DataSourceRealm and JNDIRealm (LDAP)
There are two other Realms (CombinedRealm and LockOutRealm), but they do not do authentication and authorization.