Security Realms

Security Realms are used to restrict access to resources in your application.

They are fairly simple to set up, although a few new web.xml tags and concepts must be learned first.


  • Realm - defined in context.xml or server.xml, an application can use a single realm only. A realm defines a storage method (eg: XML or JDBC) for user authentication data (eg: usernames and passwords). Users are grouped together into groups called roles.
  • Users - defined in the realm, typically in an XML file, or a database.
  • Roles - these are essentially user groups, defined in the realm, listed in web.xml using <security-role>, and connected to resources using <auth-constraint>.
  • Resources - these are relative paths or other URL patterns, defined in web.xml in the <security-constraint> element, in one or more <web-resource-collection> elements.

Elements Required in web.xml for Authentication

All of the following elements must be present in web.xml to enable authentication.
  • <security-constraint> - to define the security contraints (defines resources, and maps them to roles)
  • <security-role> - lists the roles used by the application
  • <login-config> - to sets the authentication method and any other data used by authentication. For example, FORM based authentication requires the path of a login page.

Useful Functions

  • HttpServletRequest.getRemoteUser() can be used to retrieve the username after login (null if not logged in)
  • HttpServletRequest.isUserInRole() can be used to check if an authenticated user is in a specific role. This is useful if multiple roles are permitted access to a secured area.

See Also

  • web.xml Reference - for a full example of a security constraint
metawerx specific

referring pages