posted 13 years ago
Actually, if you'll note, the documentation for Tomcat recommends NOT using the MemoryRealm as a production authentication and authorization Realm. It wasn't really intended for industrial-strength use, and it can't handle adding/changing users and roles without restarting Tomcat.
MemoryRealm is good for development and "proof of concept" uses, but most production servers are more likely to be using either a database or an LDAP server as their repository for credentials. When they're not doing something more sophisticated, such as authentication via web services.
Actually, as far as protection goes, none of Tomcat's files should be directly viewable (or alterable!) by unauthorized users. I usually define a "tomcat" user ID to ensure that, and give user "tomcat" the access rights.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.