Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Implementing basic security mechanism

 
sandeep yel
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am exploring the possibility of implementing basic security mechanism in my web applicationg using tomcat.

I want to know if there is a way to update tomcat-users.xml programmatically - meaning do tomcat provide APIs to update tomcat-users.xml

Any help/advice is most welcomed.

Thanks
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The tomcat-users.xml file is just xml so it's always possible to update it programmatically but it's only read when Tomcat starts up.

The memory realm was only put there to serve as an introduction to realms.
It it assumed that most production apps will switch to a JDBC or JNDI type realm. Tomcat provides the interface org.apache.catalina.Realm that you can use to implement your own if none of the provided ones provide what you need.

From: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

MemoryRealm

Introduction

MemoryRealm is a simple demonstration implementation of the Tomcat 6 Realm interface. It is not designed for production use. At startup time, MemoryRealm loads information about all users, and their corresponding roles, from an XML document (by default, this document is loaded from $CATALINA_HOME/conf/tomcat-users.xml). Changes to the data in this file are not recognized until Tomcat is restarted.

[ January 22, 2008: Message edited by: Ben Souther ]
 
sandeep yel
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is it possible to reread tomcat-users.xml into an application without restarting tomcat?

While using "Tomcat Administrative Tool" I found that I can add a new user with admin role and also get logged in with new user/password.

Can someone provide a clue as to how this can be achieved.

Thanks
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The Tomcat Admin app runs as a privileged app and probably accesses the memory realm objects directly.
The nice thing about open source projects is that, if you want to know how they do something, you can grab the source and see for yourself.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you're serious about mucking around with the MemoryRealm (and you should really use a more serious Realm implementation, like DataSourceRealm), you might want to read this article I wrote a while back. The section titled "Integration with Tomcat Realms" explains how to extend MemoryRealm with custom functionality.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic