5.1 Use secure Realms

Information

A realm is a database of usernames and passwords used to identify valid users of web applications. Review the Realms configuration to ensure Tomcat is not configured to use MemoryRealm, JDBCRealm, UserDatabaseRealm and JAASRealm.

Rationale:

According to the Tomcat documentation: the MemoryRealm and JDBCRealm are not designed for production usage and could result in reduced availability; the UserDatabaseRealm is not intended for large-scale installations; and the JAASRealm is not widely used and therefore the code is not as mature as the other realms.

Solution

Set the Realm className setting in $CATALINA_HOME/conf/server.xml to one of the appropriate realms.

References:

https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html

https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv7|14.6

Plugin: Unix

Control ID: e510ccd0b0120bade8a2296bf635ac49fbb3fda1114e56d9666d6056452ec798