2

After searching online for quite some time, I cannot find a good way to edit users from within a JSP script besides opening tomcat-users.xml and manually editing it. Not only is this a security vulnerability because I have to give the www user permissions to tomcat-users.xml, but I have to restart Tomcat to see any effect, rendering any changes useless.

Since the deployment is entirely internal, I wouldn't be entirely against manually editing tomcat-users.xml via the JSP. Editing Apache via an .htaccess wrapper is out of the question (this was my original solution), as part of the application apparently depends on the Tomcat login.

Are there any better methods inherent to Tomcat to maintain users? I am using Tomcat 6.0.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
kevin948
  • 648
  • 1
  • 8
  • 21

1 Answers1

4

Store them in a relational database server instead. Read on the JDBCRealm chapter of the Tomcat Realm Howto how to setup a database based realm instead of a file based realm (which is indeed the default realm).

This way you've all the freedom to manage the users table in the database by JDBC, JPA or Hibernate, etcetera. Please note that this job is supposed to be (indirectly) done by a Servlet, not a JSP.

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Hmm, I don't have permission to install an sql server or anything, but I may be able to get away with sqlite3. Thanks for the suggestion, I'll look further into it tomorrow. – kevin948 Oct 21 '11 at 02:44
  • 2
    JavaDB (built in JDK) and H2 are also good embedded databases. – BalusC Oct 21 '11 at 02:50
  • 1
    Note to anybody who may see this: do not use sqlite3 with tomcat, there is no native support. Use BalusC's suggestions. – kevin948 Oct 21 '11 at 21:13