Preloader image

This example shows how to secure access to a web resource provided by a servlet. For this, we will use realms.

A realm, in JEE world, is a security policy domain defined for a web or application server. A realm contains a collection of users, who may or may not be assigned to a group.

A realm, basically, specifies a list of users and roles. I’s a "database" of users with associated passwords and possible roles. The Servlet Specification doesn’t specifies an API for specifying such a list of users and roles for a given application. For this reason, Tomcat servlet container defines an interface, org.apache.catalina.Realm. More information can be found here.

In TomEE application server, the mechanism used by Tomcat to define a realm for a servlet is reused and enhanced. More information can be found here.


This example shows a servlet secured using a realm. The secured servlet has a simple functionality, just for illustrating the concepts explained here:

import jakarta.servlet.ServletException;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

public class SecuredServlet extends HttpServlet {
    protected void service(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException {

For securing this servlet, we will add the following class:

import jakarta.enterprise.context.RequestScoped;

@RequestScoped // just to show we can be bound to the request but @ApplicationScoped is what makes sense
public class AuthBean {
    public Principal authenticate(final String username, String password) {
        if (("userA".equals(username) || "userB".equals(username)) && "test".equals(password)) {
            return new Principal() {
                public String getName() {
                    return username;

                public String toString() {
                    return username;
        return null;

    public boolean hasRole(final Principal principal, final String role) {
        return principal != null && (
                principal.getName().equals("userA") && (role.equals("admin")
                        || role.equals("user"))
                        || principal.getName().equals("userB") && (role.equals("user"))

The class defines 2 methods: authenticate and hasRole. Both these methods will be used by a class, LazyRealm, implemented in TomEE application server. In the file webapp/META-INF/context.xml this realm is configured:

<Context preemptiveAuthentication="true">
  <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" />
  <Realm className="org.apache.tomee.catalina.realm.LazyRealm"
         cdi="true" realmClass="org.superbiz.AuthBean"/>

The class AuthBean defines a "database" with 2 users: userA (having role admin) and userB (having role user), both having the password test. Class org.apache.tomee.catalina.realm.LazyRealm will load our AuthBean class and will use it to check if a user has access to the content provided by our servlet.


import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.AuthCache;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.impl.auth.BasicScheme;
import org.apache.http.impl.client.BasicAuthCache;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;
import org.apache.openejb.arquillian.common.IO;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.arquillian.test.api.ArquillianResource;
import org.jboss.shrinkwrap.api.ShrinkWrap;
import org.jboss.shrinkwrap.api.asset.EmptyAsset;
import org.jboss.shrinkwrap.api.asset.FileAsset;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Test;
import org.junit.runner.RunWith;


import static org.hamcrest.CoreMatchers.startsWith;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertThat;

public class AuthBeanTest {
    @Deployment(testable = false)
    public static WebArchive createDeployment() {
        return ShrinkWrap.create(WebArchive.class, "low-typed-realm.war")
                .addClasses(SecuredServlet.class, AuthBean.class)
                .addAsManifestResource(new FileAsset(new File("src/main/webapp/META-INF/context.xml")), "context.xml")
                .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");

    private URL webapp;

    public void success() throws IOException {
        assertEquals("200 Servlet!", get("userA", "test"));

    public void failure() throws IOException {
        assertThat(get("userA", "oops, wrong password"), startsWith("401"));

    private String get(final String user, final String password) {
        final BasicCredentialsProvider basicCredentialsProvider = new BasicCredentialsProvider();
        basicCredentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(user, password));
        final CloseableHttpClient client = HttpClients.custom()

        final HttpHost httpHost = new HttpHost(webapp.getHost(), webapp.getPort(), webapp.getProtocol());
        final AuthCache authCache = new BasicAuthCache();
        final BasicScheme basicAuth = new BasicScheme();
        authCache.put(httpHost, basicAuth);
        final HttpClientContext context = HttpClientContext.create();

        final HttpGet get = new HttpGet(webapp.toExternalForm() + "servlet");
        CloseableHttpResponse response = null;
        try {
            response = client.execute(httpHost, get, context);
            return response.getStatusLine().getStatusCode() + " " + EntityUtils.toString(response.getEntity());
        } catch (final IOException e) {
            throw new IllegalStateException(e);
        } finally {
            try {
            } catch (final IOException e) {
                // no-op

The test uses Arquillian to start an application server and load the servlet. There are two tests methods: success, where our servlet is accessed with the correct username and password, and failure, where our servlet is accessed with an incorrect password.

Full example can be found here. It’s a maven project, and the test can be run with mvn clean install command.