Configuring Security Domains in Tomcat (overview)

A security domain is a mechanism used by Tomcat servers to protect Web application resources, where security authentication information can be configured, that is, user and user and role mapping relationships, each user can have one or more roles, and each role limits the Web resources available for access

It consists of the following four types

1 Memory domains Memoryrealm read security validation information from XML and store them in memory as a set of objects

2 JDBC Domain Jdbcrealm access to security authentication information stored in the database through JDBC driver

3 Data source domain Datasoucerealm access to security information in a database through a JNDI data source

4Jndi domain Jndirealm access to security authentication information in an LDAP-based directory server via Jndi provider

The configuration process has the following 2 parts

1 Setting security constraints for Web resources

(1) Adding <sercurity-constraint> elements to the web.xml, restricting the file types to be filtered

(2) Add <logiin-config> tomcat in the Web support three authentication methods, 1 Basic authentication, 2 digest validation 3 based on form verification

Summary validation is actually a method of encrypting the first method, and form verification is done by its own Longin page implementation

(3) Add <security-role> elements in Web.xml to specify the names of all the characters of the hand

2 in Conf/server. The XML configures realm, which specifies the class name of the security domain and the associated attributes.

It should be noted that the memory domain is to store user and role data in Tomcat-users.xml

After 2 kinds are stored in the database, especially when the configuration data source domain, must put the datasource stored in the "globalnamingresouces" label, otherwise, although the normal use but do not access to the database validation, can not verify the success