It depends what type of security you are using. Since we're talking about Tomcat, it supports several Realms such as memory, JDBC and LDAP. If you store the user authentication and authorisation information in (for instance) a database and use the JDBC Realm, you can then alter authorisation roles programatically. I don't believe the tomcat-users.xml can be edited at runtime.
Yes, I am using JDBC resources for my database management. There is no problem with the programatic authentication. I just would like to know how to set user roles without having to modify conf files [ July 02, 2006: Message edited by: kwame Iwegbue ]