Quick tip: Tomcat user realm digested passwords
Join the DZone community and get the full member experience.
Join For FreeMost Tomcat packages include a script ($TOMCAT_HOME/bin/digest.sh or .bat for Windows) that can be used to create a one-way digest of a password. I use this, in conjunction with file permissions, to protect the Tomcat manager password in $TOMCAT_HOME/conf/tomcat-users.xml from prying eyes.
1. To use SHA, update $TOMCAT_HOME/conf/server.xml so that:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
reads
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" digest="SHA" resourceName="UserDatabase"/>
2. Then create your digest by running (replacing credentials with the password you want to digest):
$TOMCAT_HOME/bin/digest -a SHA credentials
This will output the plaintext and then the digested form of the credentials separated by a colon – e.g. for ‘foo’:
foo:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33
3. Take the second part and place this into the password attribute of the user element in tomcat-users.xml – e.g.:
<tomcat-users> <role rolename="manager"/> <role rolename="admin"/> <user username="admin" password="0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33" roles="admin,manager"/> </tomcat-users>
4. Restart Tomcat for it to take effect.
From http://leanjavaengineering.wordpress.com/2011/02/04/tomcat-digested-passwords/
Opinions expressed by DZone contributors are their own.
Comments