Details
A realm is a database of usernames and passwords used to identify valid users of web applications. Review the Realms configuration to ensure Tomcat is not configured to use MemoryRealm, JDBCRealm, UserDatabaseRealm, or JAASRealm.
Rationale:
According to the Tomcat documentation: MemoryRealm and JDBCRealm are not designed for production usage and could result in reduced availability; the UserDatabaseRealm is not intended for large-scale installations; and the JAASRealm is not widely used and therefore the code is not as mature as the other realms.
Solution
Set the Realm className setting in $CATALINA_HOME/conf/server.xml to one of the appropriate realms.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.