Security Realms
Security Realms are used to restrict access to resources in your application.
They are fairly simple to set up, although a few new web.xml tags and concepts must be learned first.
Concepts
- Realm - defined in context.xml or server.xml, an application can use a single realm only. A realm defines a storage method (eg: XML or JDBC) for user authentication data (eg: usernames and passwords). Users are grouped together into groups called roles.
- Users - defined in the realm, typically in an XML file, or a database.
- Roles - these are essentially user groups, defined in the realm, listed in web.xml using <security-role>, and connected to resources using <auth-constraint>.
- Resources - these are relative paths or other URL patterns, defined in web.xml in the <security-constraint> element, in one or more <web-resource-collection> elements.
Elements Required in web.xml for Authentication
All of the following elements must be present in
web.xml to enable authentication.
- <security-constraint> - to define the security contraints (defines resources, and maps them to roles)
- <security-role> - lists the roles used by the application
- <login-config> - to sets the authentication method and any other data used by authentication. For example, FORM based authentication requires the path of a login page.
Useful Functions
- HttpServletRequest.getRemoteUser() can be used to retrieve the username after login (null if not logged in)
- HttpServletRequest.isUserInRole() can be used to check if an authenticated user is in a specific role. This is useful if multiple roles are permitted access to a secured area.
See Also
- web.xml Reference - for a full example of a security constraint
