How to add group in tomcat-users.xml?

Question

How to add group in tomcat-users.xml and is there many versions of this file. In some file there is only and in some there is

Answer 1

Tomcat has only users and roles: all permissions are given based upon "role" which I suppose could mean "group".

In order to add a role to tomcat-users.xml, all you need to do is type it in. Here is the stock tomcat-users.xml file that ships with Tomcat (7.0.29):

<tomcat-users>
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
-->
</tomcat-users>

Note that everything is surrounded with XML comments, so it's effectively empty.

Let's say that you want to add the role "myGroup" and put yourself ("kad") into it:

<tomcat-users>
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
-->
  <role rolename="myGroup" />
  <user username="kad" password="secret" roles="myGroup" />
</tomcat-users>

Now you just need to configure your webapp to check for the "myGroup" role when allowing access to various resources. You can do this within your webapp's web.xml file, or programatically using the ServletRequest.isUserInRole("myGroup") method.

Note that you shouldn't really use tomcat-users.xml for authentication in a production environment except for maybe using Tomcat's 'manager' webapp: it's just too in-flexible for anything industrial-strength.