Posted on by & filed under Content - Highlights and Reviews, Information Technology, Web Development.

Apache Tomcat has become one of the most popular choices for web developers that are looking for an open source web application container to run JavaServer Pages and servlets. The popularity of Tomcat can be credited towards advanced features such as Tomcat valve, specialized realms and the Tomcat Manager App, in addition to good stability and support, especially for an open source and free application.

The realms implementation is one of the most advanced features in Tomcat. Tomcat provides a built-in security mechanism through realms to protect the resources in an application. In general, realms provide an API to declare security constraints for groups of users who may have several roles associated with their username. Realms are available as a built-in feature using the org.apache.catalina.Realm interface and the default location of this component is:

There are a number of standard realm plugins that come with Tomcat 7. In this article, we briefly describe some common realms such as MemoryRealm, JDBCRealm, DataSource Realm, JNDIRealm and UserDatabaseRealm. You can study these realms in depth from Apache Tomcat 7 by Aleksa Vukotic and James Goodwill.


The memory realm is provided by Tomcat and implemented with the org.apache.catalina.realm.MemoryRealm class. The MemoryRealm reads the XML document located at <TOMCAT_HOME>/conf/server.xml.

This loads the information about the users along with their corresponding roles. The following example shows the structure of the MemoryRealm.


As the name implies, the JDBCRealm connects with a JDBC relational database to access the list of users and their corresponding roles. There should be two different tables to define users and their roles. The first table should contain two columns, one for username and other for password. The second table also contains two columns, one for username and second for corresponding roles. More than a single role can be defined for a single user. Here is an example that shows the creation of a user and roles table:


The JNDIRealm looks up users that can be used for authentication in Tomcat in the LDAP (Lightweight Directory Access Protocol) based server. The LDAP directory is accessed through a JNDI provider. The realm’s connection to LDAP is described by the connectionURL attribute. Detailed information about setting up and configuring JNDIRealm can be read here.


The DataSourceRealm is another useful implementation that enables the looking up of users along with their roles from a relational database. The source is a JDBC datasource that is accessed through a JNDI. The requirements for the database are the same as that of JDBCRealm, with an additional step of configuring the JNDI name JDBC Datasource.


The UserDatabaseRealm allows reading the particulars of users and their roles from an XML file. The XML file is loaded through a JNDI interface. The default location of this XML file is:

This method is only suitable for a small list of users and names and not recommended for large scale use. The representation of users and their corresponding roles is similar to MemoryRealm.

Safari Books Online has the content you need

Check out these Tomcat books available from Safari Books Online:

Apache Tomcat is the most popular open-source de-facto Java Web application server, standard for today’s Web developers using JSP/Servlets. Apache Tomcat 7 covers details on installation and administration of Apache Tomcat 7. It explains key parts of the Tomcat architecture, and provides an introduction to Java Servlet and JSP APIs in the context of the Apache Tomcat server. In addition to basic concepts and administration tasks, Apache Tomcat 7 covers some of the most frequently used advanced features of Tomcat, including security, Apache web server integration, load balancing, and embedding Tomcat server in Java applications.
It takes a book as versatile as its subject to cover Apache Tomcat, the popular open source Servlet and JSP container and high performance web server. Tomcat: The Definitive Guide is a valuable reference for administrators and webmasters, a useful guide for programmers who want to use Tomcat as their web application server during development or in production, and an excellent introduction for anyone interested in Tomcat. Updated for the latest version of Tomcat, this new edition offers a complete guide to installing, configuring, maintaining and securing this servlet container.

About the author

Usman Aziz is a technical lead at TunaCode, Inc., a startup that delivers GPU-accelerated computing solutions to time-critical application domains. He holds a degree in Computer Systems Engineering. His current focus is on protecting bulk data. He can be reached at

Tags: Apache Tomcat, JavaServer Pages, open source, Security Realms,

Comments are closed.