It was the weekend. I don't get paid for being here, so I usually don't check in on weekends. Don't expect 5-minute response times on the Ranch - that would cost extra and we don't work that way. Be patient, and if someone knows the answer, you'll hear sooner or later.
Tomcat security Realms are Tomcat's implementation of the
J2EE and JEE container-managed security standards. Container-managed security is not only directly supported by the standard and its API, it's designed so that many forms of exploit will get bounced by Tomcat without getting anywhere near their intended victim webapp. If there have ever been any cases where it has been circumvented, I am not aware of them.
There are some third-party security frameworks, such as the Spring security framework for webapps. I generally recommend container-managed security, but if you don't (or cannot) use CMS security, the next-best option is one of the well-known third parties. Note that in some cases third-party frameworks act as additional support for CMS. which is more secure and generally gives finer granularity to security that CMS can itself.
The absolute worst options for webapp security is to design your own login system, copy one out of a J2EE book, or use one cooked up by your local shop's "expert" and serving as the corporate standard. In my experience, systems using any of these approach are, about 95% of the time, easily broken by non-technical persons in 15 minutes or less. Security is a chain and even one weak link will break it. Unless you're trained in security and unless security is your full-time job (
not something else to do as part of the app), then don't even consider using anything but a well-tested system such as CMS or well-known third party.
And realize that despite everything, no security system is totally unbreakable, so be prepared to deal with the worst.