How do I use non-plaintext passwords for Tomcat users?
Solution 1:
Taken from this page
- add "digest" attribute on your element in
server.xml
with a hash algorithm as value (possible values are for examplemd5
,sha-1
orsha-256
, where the latter is strongly recommended). - Run
$CATALINE_HOME/bin/digest.sh -a <YOUR_HASH_ALGORITHM> <YOUR_PASSWORD>
- You will get an output in the following form
<YOUR_PASSWORD>:<ENCRYPTED_PASSWORD>
- Replace value of user's
password
attribute in yourtomcat-users.xml
to<ENCRYPTED_PASSWORD>
- restart tomcat
See also: Tomcat digest password
Solution 2:
For anyone coming here looking for information about Tomcat 8.0.15 or newer, you should probably use SecretKeyCredentialHandler with PBKDF2 instead, since it's much more secure (i.e. harder to crack) than a simple message digest.
For example, in your server.xml:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler"
algorithm="PBKDF2WithHmacSHA512"
keyLength="256"
/>
</Realm>
With this configuration, use the following to generate the hashed output from your password:
$CATALINA_HOME/bin/digest.sh -a "PBKDF2WithHmacSHA512" -i 100000 -s 16 -k 256 -h "org.apache.catalina.realm.SecretKeyCredentialHandler" "YOUR_PASSWORD"
with the iteration-count and salt-size (in bytes) of your choosing. Note that the key length need to be the same as defined in server.xml because of bug 60446. It should be fixed pretty soon upstream though.
WARNING! Please ensure your password does not get saved in your shell's command history. In bash this is achieved by preceding the command with an empty space.
The command will output your password in plain-text and a hex-representation of the resulting credentials, which you should use as your password attribute in your tomcat-users.xml.
Documentation for the CredentialHandler component can be found here. The possible values for the algorithm attribute can be found here.