5.1 Use secure Realms

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

A realm is a database of usernames and passwords used to identify valid users of web applications. Review the Realms configuration to ensure Tomcat is not configured to use MemoryRealm, JDBCRealm, UserDatabaseRealm, or JAASRealm.

Rationale:

According to the Tomcat documentation: MemoryRealm and JDBCRealm are not designed for production usage and could result in reduced availability; the UserDatabaseRealm is not intended for large-scale installations; and the JAASRealm is not widely used and therefore the code is not as mature as the other realms.

Solution

Set the Realm className setting in $CATALINA_HOME/conf/server.xml to one of the appropriate realms.

See Also

https://workbench.cisecurity.org/files/4103