This week's book giveaway is in the OCPJP forum.
We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line!
See this thread for details.
The moose likes Tomcat and the fly likes Implementing basic security mechanism Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Implementing basic security mechanism" Watch "Implementing basic security mechanism" New topic
Author

Implementing basic security mechanism

sandeep yel
Greenhorn

Joined: Jan 22, 2008
Posts: 17
Hi,

I am exploring the possibility of implementing basic security mechanism in my web applicationg using tomcat.

I want to know if there is a way to update tomcat-users.xml programmatically - meaning do tomcat provide APIs to update tomcat-users.xml

Any help/advice is most welcomed.

Thanks
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

The tomcat-users.xml file is just xml so it's always possible to update it programmatically but it's only read when Tomcat starts up.

The memory realm was only put there to serve as an introduction to realms.
It it assumed that most production apps will switch to a JDBC or JNDI type realm. Tomcat provides the interface org.apache.catalina.Realm that you can use to implement your own if none of the provided ones provide what you need.

From: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

MemoryRealm

Introduction

MemoryRealm is a simple demonstration implementation of the Tomcat 6 Realm interface. It is not designed for production use. At startup time, MemoryRealm loads information about all users, and their corresponding roles, from an XML document (by default, this document is loaded from $CATALINA_HOME/conf/tomcat-users.xml). Changes to the data in this file are not recognized until Tomcat is restarted.

[ January 22, 2008: Message edited by: Ben Souther ]

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
sandeep yel
Greenhorn

Joined: Jan 22, 2008
Posts: 17
Is it possible to reread tomcat-users.xml into an application without restarting tomcat?

While using "Tomcat Administrative Tool" I found that I can add a new user with admin role and also get logged in with new user/password.

Can someone provide a clue as to how this can be achieved.

Thanks
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

The Tomcat Admin app runs as a privileged app and probably accesses the memory realm objects directly.
The nice thing about open source projects is that, if you want to know how they do something, you can grab the source and see for yourself.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42367
    
  64
If you're serious about mucking around with the MemoryRealm (and you should really use a more serious Realm implementation, like DataSourceRealm), you might want to read this article I wrote a while back. The section titled "Integration with Tomcat Realms" explains how to extend MemoryRealm with custom functionality.


Ping & DNS - my free Android networking tools app
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Implementing basic security mechanism