Chapter 9: Security and Container Authentication

Overview

The execution of third party servlets is increasingly common. Consider an Application Service Provider (ASP) that hosts many web applications on virtual hosts supported by a single servlet container instance. It is vital that the actions of one web application doesn't bring down the entire server. The ability to restrict certain actions is vital to the well-being of a server and the web applications running on it.

The Servlet 2.3 specification is very particular as to which type of security support that compliant containers should provide. In this chapter, we'll examine the various components of servlet security, including:

• How we can use server-side policy files

• How we can configure Tomcat to use Secure Socket Layer (SSL)

• How SSL relates to public key encryption, digital signature, and transitive trust

• Tomcat 4 Realms, which provide a platform independent way of performing authentication and role mapping

• Container-managed security

• BASIC, FORM-based, DIGEST, and CLIENT-CERT authentication

• Tomcat's single sign-on mechanism that eliminates multiple authentication requests