5. 5 www.appsecinc.com
Tomcat, Jetty, etc.
● Servlet Filter
catch-all
● Tomcat Authenticator
authentication method
● Spi Login Module
authentication provider
● Realm
authorize users, a database of users and roles
● User Database
● JAAS Realm: Java Authentication and Authorization Service
● …
6. 6 www.appsecinc.com
Demo: FORM
● How: Login Module + JAAS Realm
● Authentication Method = FORM
● Username, password from FORM
● Windows Logon
● Groups => Roles
7. 7 www.appsecinc.com
Demo: JAAS
● How: Login Module + JAAS Realm
● Authentication Method = BASIC
● Username, password from browser
● Windows Logon
● Groups => Roles