Quick tip: Tomcat user realm digested passwords

Most Tomcat packages include a script ($TOMCAT_HOME/bin/digest.sh or .bat for Windows) that can be used to create a one-way digest of a password. I use this, in conjunction with file permissions, to protect the Tomcat manager password in $TOMCAT_HOME/conf/tomcat-users.xml from prying eyes.

1. To use SHA, update $TOMCAT_HOME/conf/server.xml so that:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
              resourceName="UserDatabase"/>

reads

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             digest="SHA" resourceName="UserDatabase"/>

2. Then create your digest by running (replacing credentials with the password you want to digest):

$TOMCAT_HOME/bin/digest -a SHA credentials

This will output the plaintext and then the digested form of the credentials separated by a colon – e.g. for ‘foo’:

foo:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33

3. Take the second part and place this into the password attribute of the user element in tomcat-users.xml – e.g.:

<tomcat-users>
  <role rolename="manager"/>
  <role rolename="admin"/>
  <user username="admin" 
   password="0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33"
   roles="admin,manager"/>
</tomcat-users>

4. Restart Tomcat for it to take effect.

About these ads

3 responses to “Quick tip: Tomcat user realm digested passwords

  1. Pingback: Quick tip: Tomcat user realm digested passwords

  2. Pingback: Grails & Hudson Part 4: Automated Deployment | Lean Java Engineering

  3. Pingback: Tomcat user realm digested passwords - Tomcat Tutorial

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s