is JAASRealm the solution and if not, what is the solution

I have developed a Tomcat application acting as a kind of CMS, where all the contents are stored in a subfolder of my Tomcat application named 'contents'.

I currently use a JNDI Realm configured to use the 'user' table of my application and which protects this folder, so users need to be connected to my application to see the contents.
But this is not sufficient, since my application gives the ability to define detailed access rights for each user, such as:
'user1' can access 'content1' at any time, and 'content2' only during july 2015.
'user2' can access 'content3' only during july 2015.

The problem with the current JNDI Realm is:
Once 'user1' is connected, if he knows how to use browser development tools, he will be able to give to 'user2' the URL of 'content1' and 'content2'.
And when 'user2' will be connected, he will be able to access 'content1' and 'content2' by entering the URL in another tab of the browser, since he has been authenticated by the JNDI Realm.

JAASRealm could be a solution if I can implement a custom logic where I get the URL requested by the user, and I check in my CMS database if the user has appropriate rights to access this URL at this moment.

Is this possible, and how? Tomcat doc at https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JAASRealm is a bit weird for me.

If not, what would be alternative solutions?

For instance, I am also wondering if I could put this folder 'contents' in a cloud (Google, Microsoft, AWS), and configure this cloud storage so it is only accessible from my application. I know really few things about clouds .

Please advise.

Well, first off, DO NOT write files/directories into your web application. The WAR should be consider as read-only. Because in many cases, it is, and even if it's not you're only one software update from losing all your data. Put updateable content in a directory external to both the webapp and to Tomcat itself.

You cannot grant extra security powers to a webapp by switching Realms. All the Realms are plug-interchangeable so they all provide the same services and only the mechanisms by which they obtain/validate data are different from Realm to Realm.

Realm-based security isn't intended to provide per-user granularity anyway. Realms are based on groups, not individuals. So to get that finer level of distinction, you'd have to put JAAS code in the webapp. Leave the Realm for the front-line defense, then you can rely on what the getRemoteUser() call returns to provide a secure identification of which user is making the request, and use that userid as a key into the set of internal security rules that you set up. You might want to look around at some of the existing internel-level security systems available. The Spring framework has one (named, originally enough, spring-security), There's also at least one other well-known product whose primary purpose is Java webapp security, although I cannot remember its name.


On clouds, you are asking about cloud-based storage such as Amazon's S3 or OpenStack's Swift. That kind of stuff is generally designed to store objects, not to provide a file system itself. Actual access occurs via ReST HTTP functions. Normally you wouldn't have the webapp local and the storage be cloud-based, you'd have the webapp also be cloud-based (for example, Amazon's EC2. In that case, both servers would be behind the same firewall - and potentially on the same private VPN. In which case no external attackers would be able to access your object store at all.