Is it possible to retrieve username, password and roles from a database instead of retrieving them from tomcat-user.xml while using container-managed security

Question

I have a web application which i deploy in Tomcat. I want to secure all pages under the url path administration/*.

I have set up container-managed security entering the next snippet in the web.xml file:

<security-role>
    <role-name>administrator</role-name>
</security-role>
<login-config>
    <auth-method>BASIC</auth-method>        
</login-config>  
<security-constraint>
    <web-resource-collection>
        <web-resource-name>AdministrationPanel</web-resource-name>     
    <url-pattern>/administration/*</url-pattern>    
    <http-method>GET</http-method>
    <http-method>POST</http-method>    
    </web-resource-collection>
    <auth-constraint>
        <role-name>administrator</role-name>
    <role-name>member</role-name>
    </auth-constraint>
</security-constraint>

and in $CATALINA_HOME/conf/tomcat-users.xml i have

<user username="userA" password="userA" roles="administrator"/>

Everything is working fine. I get a login box and i can authenticate myself as userA.

However, i would like to be able to store new users directly by using the web application, change user passwords etc.

Is it possible to tell tomcat to get the users, passwords and roles any other way? For example a class which retrieves them from the database.

Answer 1

Yes, it's definately possible, just check http://tomcat.apache.org/tomcat-4.1-doc/realm-howto.html#DataSourceRealm

Answer 2

Or for the current Release Tomcat 6 Realm Howto