aspose file tools*
The moose likes Tomcat and the fly likes Implementing basic security mechanism Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Implementing basic security mechanism" Watch "Implementing basic security mechanism" New topic

Implementing basic security mechanism

sandeep yel

Joined: Jan 22, 2008
Posts: 17

I am exploring the possibility of implementing basic security mechanism in my web applicationg using tomcat.

I want to know if there is a way to update tomcat-users.xml programmatically - meaning do tomcat provide APIs to update tomcat-users.xml

Any help/advice is most welcomed.

Ben Souther

Joined: Dec 11, 2004
Posts: 13410

The tomcat-users.xml file is just xml so it's always possible to update it programmatically but it's only read when Tomcat starts up.

The memory realm was only put there to serve as an introduction to realms.
It it assumed that most production apps will switch to a JDBC or JNDI type realm. Tomcat provides the interface org.apache.catalina.Realm that you can use to implement your own if none of the provided ones provide what you need.




MemoryRealm is a simple demonstration implementation of the Tomcat 6 Realm interface. It is not designed for production use. At startup time, MemoryRealm loads information about all users, and their corresponding roles, from an XML document (by default, this document is loaded from $CATALINA_HOME/conf/tomcat-users.xml). Changes to the data in this file are not recognized until Tomcat is restarted.

[ January 22, 2008: Message edited by: Ben Souther ]

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
sandeep yel

Joined: Jan 22, 2008
Posts: 17
Is it possible to reread tomcat-users.xml into an application without restarting tomcat?

While using "Tomcat Administrative Tool" I found that I can add a new user with admin role and also get logged in with new user/password.

Can someone provide a clue as to how this can be achieved.

Ben Souther

Joined: Dec 11, 2004
Posts: 13410

The Tomcat Admin app runs as a privileged app and probably accesses the memory realm objects directly.
The nice thing about open source projects is that, if you want to know how they do something, you can grab the source and see for yourself.
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 39571
If you're serious about mucking around with the MemoryRealm (and you should really use a more serious Realm implementation, like DataSourceRealm), you might want to read this article I wrote a while back. The section titled "Integration with Tomcat Realms" explains how to extend MemoryRealm with custom functionality.

Ping & DNS - updated with new look and Ping home screen widget
It is sorta covered in the JavaRanch Style Guide.
subject: Implementing basic security mechanism
Similar Threads
Update of Tomcat-users.xml by Tomcat Administration Tool
auth-constraint vs security-role
Rereading tomcat-users.xml without restarting tomcat
unable to login in tomcat manager