I have a web application that I am deploying to Tomcat. I want to protect all pages running URLs / *.
I set container-managed security by entering the following snippet in the web.xml file:
<security-role> <role-name>administrator</role-name> </security-role> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-constraint> <web-resource-collection> <web-resource-name>AdministrationPanel</web-resource-name> <url-pattern>/administration/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> <role-name>member</role-name> </auth-constraint> </security-constraint>
and in $ CATALINA_HOME / conf / tomcat-users.xml I have
<user username="userA" password="userA" roles="administrator"/>
Everything is working fine. I get a login window and I can authenticate as userA.
However, I would like to be able to store new users directly using a web application, change user passwords, etc.
Is it possible to tell tomcat to get users, passwords and roles in some other way? For example, a class that retrieves them from the database.
source share