Tutorial: Applying End-to-End Security Across a Java Web Environment Using LDAP and Apache Fortress

Shawn McKinney


This tutorial covers how to apply an end-to-end application security architecture featuring Apache
Fortress and OpenLDAP. It will be divided into four 30 minute segments:

  1. Install security infrastructure: OpenLDAP and Apache Fortress.
  2. Deploy a simple Java Web app into Apache Tomcat. Get authentication and coarse-grained authorization enabled to control page access.
  3. Add fine-grained authorization to Web application controls (buttons, list boxes, …) and database functions (create, read, update, delete).
  4. Generate keys and certs, enable TLS to HTTP, LDAP and JDBC connections.

The student will leave with understanding to apply proper security techniques to Web apps. A number of relevant standards including Java EE Security, Role-Based Access Controls (ANSI INCITS 359), Transport Level Security (TLS), and X.509 are followed. The sample code uses Java, but the techniques may be applied across many different platforms.


  • All steps run on Debian machines running inside an IAAS cloud environment.
  • Student should have some experience developing apps in Java and using containers like Apache Tomcat.
  • Student should bring a PC or other device that can connect to the internet with a web browser and get to an ssh command prompt.


  1. Complete Apache Fortress 10 Minute Guide
  2. Complete Apache Wicket Security Tutorial
  3. Complete Apache Fortress Demo
  4. Enable TLS for OpenLDAP, MySQL and Tomcat.
  5. Run Selenium automated unit tests.
  6. Run manual tests to verify security policy.

Course Material

This tutorial is based on a presentation that was given at JavaOne 2014 and ApacheCon North America 2015. The material that will be covered follows:

  1. Apache Fortress Ten Minute Guide:
  2. Apache Fortress & Wicket Example
  3. Apache Fortress End-to-End Tutorial


System Architect at Symas. Member of the OpenLDAP Engineering Team. Apache Directory PMC.