After searching online for quite some time, I cannot find a good way to edit users from within a JSP script besides opening tomcat-users.xml and manually editing it. Not only is this a security vulnerability because I have to give the www user permissions to tomcat-users.xml, but I have to restart Tomcat to see any effect, rendering any changes useless.
Since the deployment is entirely internal, I wouldn't be entirely against manually editing tomcat-users.xml via the JSP. Editing Apache via an .htaccess wrapper is out of the question (this was my original solution), as part of the application apparently depends on the Tomcat login.
Are there any better methods inherent to Tomcat to maintain users? I am using Tomcat 6.0.
Store them in a relational database server instead. Read on the JDBCRealm chapter of the Tomcat Realm Howto how to setup a database based realm instead of a file based realm (which is indeed the default realm).
This way you've all the freedom to manage the users table in the database by JDBC, JPA or Hibernate, etcetera. Please note that this job is supposed to be (indirectly) done by a Servlet, not a JSP.