I am looking into the security model of Tomcat and have a question regarding

Question

0

Asked: May 31, 20262026-05-31T03:32:26+00:00 2026-05-31T03:32:26+00:00

I am looking into the security model of Tomcat and have a question regarding

0

I am looking into the security model of Tomcat and have a question regarding when security realms come into effect. I have secured a portion of my web app:

<security-constraint>
  <display-name>My Realm</display-name>
    <web-resource-collection>
      <web-resource-name>MyServices</web-resource-name>
      <url-pattern>/service/*</url-pattern>
    </web-resource-collection>
  <auth-constraint>
    <description>AUser</description>
    <role-name>AUser</role-name>
  </auth-constraint>
</security-constraint>

and have configured this web app to use JDBCRealm.

I have an initial Filter defined where getSession() is invoked, and thus a cookie is returned to the client’s browser during the response. When the client makes another request, is the security realm bypassed when the cookie is returned (current authenticated session)? What class makes this decision (to invoke a security realm or not)? JDBCRealm has no notion of cookies or sessions, and RealmBase looks like it has some cookie logic, but not much.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-31T03:32:27+00:00

Editorial Team

2026-05-31T03:32:27+00:00Added an answer on May 31, 2026 at 3:32 am

It happens per session if possible, and happens here in AuthenticatorBase

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am looking into the security model of Tomcat and have a question regarding

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply