May 14, 2017

Tomcat Standard Security Realms

Tomcat comes out of the box with the following security realms, i.e. modules that does Authentication and Authorization.

Name CIS Tomcat 8 Benchmark Note *
JDBCRealm NOT for Production
JNDIRealm (LDAP)  
UserDatabaseRealm NOT for Large-Scale Installations
MemoryRealm NOT for Production
JAASRealm NOT widely used and therefore the code is not as mature as the other realms.

*) CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf

This leaves us with only two production ready realms: DataSourceRealm and JNDIRealm (LDAP)

There are two other Realms (CombinedRealm and LockOutRealm), but they do not do authentication and authorization.

No comments: