Password changes only take effect upon restart of Tomcat?

[Jonathan Eric Miller <je...@uchicago.edu>]

I've been playing around with the basic HTTP authentication in Tomcat and it
seems to be working fine.

However, it seems that when you change a user's password in
tomcat-users.xml, it isn't until you restart the server that the password
change takes affect.

I can see why one might take this approach so as to not slow the server down
always re-reading the password file. However, this behavior is different
from Apache Web Server.

Would it be possible to make it so that the file gets re-read when it is
modified?

The reason I ask is because I have an application that allows users to
change their passwords through the application itself. Therefore, it isn't
desirable to have to restart the Web server everytime a user changes their
password.

Another feature that would be nice is if the passwords were encrypted using
crypt or MD5 or something. I know I ask a lot! You guys are doing a great
job and I'm sure that you are probably busy working on other things! ;-)

Jon