Apache Tomcat can do container managed security, where Tomcat connects to an identity data store for user authentication. The Apache Tomcat Realm Configuration HOW-TO explains generally how to set this up.
This article demonstrates how to setup Tomcat 7 to use OpenDJ with a JNDIRealm for a virtual host. The basic setup sidesteps some of the complexity by using a single OpenDJ server, though the JNDIRealm lets you set both connectionURLs and alternateURLs to allow for failover. The basic setup also does not cover securing the connection from Tomcat to OpenDJ. If you deploy OpenDJ as an identity store for Tomcat in production, then Tomcat should connect to OpenDJ using StartTLS or LDAPS to avoid sending passwords in clear text when users authenticate.
Users and Roles in OpenDJ
In order to have some test users, you can import Example.ldif into a dc=example,dc=com suffix in OpenDJ at installation time. (See the OpenDJ Installation Guide for help installing the latest nightly build of OpenDJ.) Here is a search on a famous example user:
Roles in Apache Tomcat map to groups in OpenDJ. Therefore, define a couple of groups to use with Tomcat.
For the Tomcat realm configuration, the following definition connects to OpenDJ on the local host, port 1389 (the default LDAP port when not running as root on Linux or UNIX), and lets users login by
uid (for example, Babs Jensen logs in as
Group membership comes either from OpenDJ group lookup, or from the
isMemberOf attribute on the user entry.
Add the definition to
/path/to/tomcat/conf/server.xml, for example inside the
Make sure OpenDJ is running, and then restart Tomcat to be sure the changes take effect.
Try the example application with form-based login shipped with Tomcat, http://localhost:8080/examples/jsp/security/protected/
bjensen with password
At this point you can add your own protected applications.