It's not a secret anymore!
The moose likes Tomcat and the fly likes Adding New Users Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Adding New Users" Watch "Adding New Users" New topic

Adding New Users

Kevin DesLauriers
Ranch Hand

Joined: Nov 28, 2005
Posts: 43
So, I am unsure which forum to place this question because I guess it could go in quite a few. But I chose here.

I am using Tomcat that comes with eclipse 3.3.1 and I am using the myeclipse plugin on a x86_64 linux machine.

My problem is as follows:

I am writing a web app that users servlets, pojos and JSPs currently. Usig form based authentication users stored in tomcat-users.xml can login. This works perfectly fine.

But of course, I want new users to be able to join so I have a register link on the sign in page that stores user data in an object. I will be using a series of SQL tables to store user data in but I want the user who just registered to be able become users as long as their data is okay on the register form.

Is there a way to update tomcat-users.xml while the app is running and without interaction from me? Or is there another way I should be doing it. I know that I should not be storing passwords in the sql table.

Thank you
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63852

If you want more flexibility, I'd recommend rolling your own authentication. I've never used the builtin authentication because it's just too limiting.

I know that I should not be storing passwords in the sql table.

I do it all the time. Of course, I pass them through a one-way hash first for security.
[ January 13, 2008: Message edited by: Bear Bibeault ]

[Asking smart questions] [About Bear] [Books by Bear]
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
If you want to store user data in SQL tables, what's the connection to tomcat-users.xml? If you want a file, use MemoryRealm (and thus tomcat-users.xml); if you want a database, use JDBCRealm or DataSourceRealm.

But overall, I agree with Bear - write your own database-based authentication module once, and reuse it wherever you need it (including hashed passwords). That also has the benefit of allowing very fine-grained control over which URLs to protect - something that's not possible with the built-in mechanism.
Kevin DesLauriers
Ranch Hand

Joined: Nov 28, 2005
Posts: 43
Thank you both for your help. That helps a lot.
I agree. Here's the link:
subject: Adding New Users
jQuery in Action, 3rd edition