I'm not a Tomcat expert, so I can't comment on external tools to add user/id pwd. However, I would agree with you that its not a good idea to keep clear text user info in a flat file.
A better approach is to wire up another security framework (i.e LDAP). I *think* I read that you can wire Tomcat to some other security framework, but a cursory search through the tomcat documentation reveals nothing.
<!-- these lines handle field 1 --!>
<logic:equal name="user" property="type" value="owner">
<html assword name="oldPassword"/>
</logic:equal>
When I wrote it, the Struts-JSF package wasn't ready, so I only cover it briefly. On the other hand, there's not much needed to use it; change a few class names in the Struts configuration file and use a few new Struts tags in the JSP pages, and Struts takes care of all the dirty work of getting user interface events handled by JSF and backend code invokations handled by Struts Actions.
What I cover in great detail is how to migrate a Struts application to pure JSF; that's what I feel is most important to cover in a JSF book.