How to authenticate and authorize webapp request in Tomcat Servlet Container

Question

What is the best way to do authenticate and authorize webapp request in Tomcat Servlet Container ?

I have two ideas,

1 - Use the Tomcat Realm. 2 - There is a web service where it provides capability to evaluate user request against XACML polices. That means if we send user name, resource name(Here the servlet) to that web service, it will evaluate the request against a XACML policy(where we can change or add new polices) and say permit or deny.

What is the best way ?

Answer 1

I suggest you to use tomcat realm or servlet filters

Answer 2

Container Managed Authentication is the standard solution. That means you define a JAASRealm in Tomcat and define your own LoginModule(s) and JAAS configuration file. The LoginModules can do whatever you like. Tomcat will take care of ensuring a login when required, and of enforcing access control via the user's roles as set up by your login module and defined in web.xml. No filters required.

Answer 3

I wrote a Servlet PEP that creates XACML requests from the HttpServletObject and possibly additional information e.g. time of the day and sends it off to a PDP.

To do so, I implemented javax.servlet.Filter. It really is the best way to go forward. In your web.xml, you can then define the scope of the filter.

My PEP then sends the XACML request as a SOAP message to an Axiomatics XACML 3.0 PDP. What are you using?

Check out my SDK video on Youtube too that shows how to quickly create a Java PEP. http://www.youtube.com/watch?v=Z_2M775uFxo