Why is Realm setting required in Server.xml and not web.xml

Question

I am working on a Java application for a while. I primarily work on .NET Platform. Although I feel lot of concepts are common between these two platforms but there are few areas where I am finding some issues related to the configuration.

I am working on Authentication and Authorization and thought I would get something similar to Membership APIs of .NET in JAVA. Closest which I got was using j_security_check. I also got to know about JAAS but think it is little too deep for me to dive into.

I have created the user and role tables in the database and now I have to specify the JDBC Realm settings somewhere. I am using Tomcat 7.0. In most places, it's mentioned that I need to specify the realm setting in the server.xml.But wouldn't that apply to all web application deployed on that server since it would become a server level configuration ?.

On a site I even saw a developer mentioning about context.xml but again can't see a standard document that mention about using this XML file for setting JDBC realm

In.NET, We always put Membership settings at the web.config level and not Machine.config.

Totally Confused on this. Looking for some light on this.

Answer 1

Why is Realm setting required in Server.xml and not web.xml

This is not true, you can define it in your webapp as well, but then only in a servletcontainer-specific configuration file, such as /META-INF/context.xml in case of Tomcat. It cannot be definied in /WEB-INF/web.xml because it's specific to the standard Servlet API, not the servletcontainer implementation.

---

But wouldn't that apply to all web application deployed on that server since it would become a server level configuration ?.

That's correct. This is not recommended if you have no control over the server or if you don't want to publish the realm through other webapps.

---

On a site I even saw a developer mentioning about context.xml but again can't see a standard document that mention about using this XML file for setting JDBC realm

You can specify it in webapp's /META-INF/context.xml. See also Tomcat's own documentation on the <Context> element:

Defining a context

It is NOT recommended to place <Context> elements directly in the server.xml file. This is because it makes modifying the Context configuration more invasive since the main conf/server.xml file cannot be reloaded without restarting Tomcat.

Individual Context elements may be explicitly defined:

• In an individual file at /META-INF/context.xml inside the application files. Optionally (based on the Host's copyXML attribute) this may be copied to $CATALINA_BASE/conf/[enginename]/[hostname]/ and renamed to application's base file name plus a ".xml" extension.

• In individual files (with a ".xml" extension) in the $CATALINA_BASE/conf/[enginename]/[hostname]/ directory. The context path and version will be derived from the base name of the file (the file name less the .xml extension). This file will always take precedence over any context.xml file packaged in the web application's META-INF directory.

• Inside a Host element in the main conf/server.xml.

(emphasis is not mine, it is already as such in Tomcat's documentation)