File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes Adding New Users Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Adding New Users" Watch "Adding New Users" New topic

Adding New Users

Kevin DesLauriers
Ranch Hand

Joined: Nov 28, 2005
Posts: 43
So, I am unsure which forum to place this question because I guess it could go in quite a few. But I chose here.

I am using Tomcat that comes with eclipse 3.3.1 and I am using the myeclipse plugin on a x86_64 linux machine.

My problem is as follows:

I am writing a web app that users servlets, pojos and JSPs currently. Usig form based authentication users stored in tomcat-users.xml can login. This works perfectly fine.

But of course, I want new users to be able to join so I have a register link on the sign in page that stores user data in an object. I will be using a series of SQL tables to store user data in but I want the user who just registered to be able become users as long as their data is okay on the register form.

Is there a way to update tomcat-users.xml while the app is running and without interaction from me? Or is there another way I should be doing it. I know that I should not be storing passwords in the sql table.

Thank you
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63838

If you want more flexibility, I'd recommend rolling your own authentication. I've never used the builtin authentication because it's just too limiting.

I know that I should not be storing passwords in the sql table.

I do it all the time. Of course, I pass them through a one-way hash first for security.
[ January 13, 2008: Message edited by: Bear Bibeault ]

[Asking smart questions] [About Bear] [Books by Bear]
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
If you want to store user data in SQL tables, what's the connection to tomcat-users.xml? If you want a file, use MemoryRealm (and thus tomcat-users.xml); if you want a database, use JDBCRealm or DataSourceRealm.

But overall, I agree with Bear - write your own database-based authentication module once, and reuse it wherever you need it (including hashed passwords). That also has the benefit of allowing very fine-grained control over which URLs to protect - something that's not possible with the built-in mechanism.
Kevin DesLauriers
Ranch Hand

Joined: Nov 28, 2005
Posts: 43
Thank you both for your help. That helps a lot.
I agree. Here's the link:
subject: Adding New Users
It's not a secret anymore!