Robin Bramley is a hands-on Architect who has spent the last decade working with Java, mobile & Open Source across sectors including Financial Services & High Growth / start-ups. Prior to that he helped UK Police Forces with MIS /reporting & intelligence systems. He has contributed to a wide variety of Open Source projects including adding Open ID support to Spring Security. Robin is a DZone MVB and is not an employee of DZone and has posted 24 posts at DZone. You can read more from them at their website. View Full User Profile

Quick tip: Tomcat user realm digested passwords

06.01.2011
| 4408 views |
  • submit to reddit

Most Tomcat packages include a script ($TOMCAT_HOME/bin/digest.sh or .bat for Windows) that can be used to create a one-way digest of a password. I use this, in conjunction with file permissions, to protect the Tomcat manager password in $TOMCAT_HOME/conf/tomcat-users.xml from prying eyes.

1. To use SHA, update $TOMCAT_HOME/conf/server.xml so that:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
              resourceName="UserDatabase"/>

reads

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             digest="SHA" resourceName="UserDatabase"/>

2. Then create your digest by running (replacing credentials with the password you want to digest):

$TOMCAT_HOME/bin/digest -a SHA credentials

This will output the plaintext and then the digested form of the credentials separated by a colon – e.g. for ‘foo’:

foo:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33

3. Take the second part and place this into the password attribute of the user element in tomcat-users.xml – e.g.:

<tomcat-users>
  <role rolename="manager"/>
  <role rolename="admin"/>
  <user username="admin"
   password="0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33"
   roles="admin,manager"/>
</tomcat-users>

4. Restart Tomcat for it to take effect.

 

From http://leanjavaengineering.wordpress.com/2011/02/04/tomcat-digested-passwords/

Published at DZone with permission of Robin Bramley, author and DZone MVB.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Comments

Joey Solis replied on Thu, 2011/06/02 - 6:20pm

This is good to know. I was about to do the same thing in the database. But encrypted plain text will do.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.