DZone
Java Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Java Zone > Quick tip: Tomcat user realm digested passwords

Quick tip: Tomcat user realm digested passwords

Robin Bramley user avatar by
Robin Bramley
·
Jun. 02, 11 · Java Zone · Interview
Like (0)
Save
Tweet
6.95K Views

Join the DZone community and get the full member experience.

Join For Free

Most Tomcat packages include a script ($TOMCAT_HOME/bin/digest.sh or .bat for Windows) that can be used to create a one-way digest of a password. I use this, in conjunction with file permissions, to protect the Tomcat manager password in $TOMCAT_HOME/conf/tomcat-users.xml from prying eyes.

1. To use SHA, update $TOMCAT_HOME/conf/server.xml so that:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
              resourceName="UserDatabase"/>

reads

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             digest="SHA" resourceName="UserDatabase"/>

2. Then create your digest by running (replacing credentials with the password you want to digest):

$TOMCAT_HOME/bin/digest -a SHA credentials

This will output the plaintext and then the digested form of the credentials separated by a colon – e.g. for ‘foo’:

foo:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33

3. Take the second part and place this into the password attribute of the user element in tomcat-users.xml – e.g.:

<tomcat-users>
  <role rolename="manager"/>
  <role rolename="admin"/>
  <user username="admin"
   password="0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33"
   roles="admin,manager"/>
</tomcat-users>

4. Restart Tomcat for it to take effect.

 

From http://leanjavaengineering.wordpress.com/2011/02/04/tomcat-digested-passwords/

Apache Tomcat

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How to Generate Fake Test Data
  • 5 Steps to Strengthen API Security
  • 12 Kick-Ass Software Prototyping and Mockup Tools
  • ETL, ELT, and Reverse ETL

Comments

Java Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo