How do I use non-plaintext passwords for Tomcat users?

On Ubuntu 10.04.3 LTS, after installing Tomcat 6, the way to add a manager / admin account is to add a record like this to /etc/tomcat6/tomcat-users.xml:

<role rolename="manager"/>
<role rolename="admin"/>
<user username="user" password="password" roles="manager,admin"/>

That password is in plaintext, and I'm not comfortable with that. Is there a way to use something like a hash instead? If you have a non-Ubuntu solution, I can probably translate it.


Solution 1:

Taken from this page

  1. add "digest" attribute on your element in server.xml with a hash algorithm as value (possible values are for example md5, sha-1 or sha-256, where the latter is strongly recommended).
  2. Run $CATALINE_HOME/bin/digest.sh -a <YOUR_HASH_ALGORITHM> <YOUR_PASSWORD>
  3. You will get an output in the following form <YOUR_PASSWORD>:<ENCRYPTED_PASSWORD>
  4. Replace value of user's password attribute in your tomcat-users.xml to <ENCRYPTED_PASSWORD>
  5. restart tomcat

See also: Tomcat digest password

Solution 2:

For anyone coming here looking for information about Tomcat 8.0.15 or newer, you should probably use SecretKeyCredentialHandler with PBKDF2 instead, since it's much more secure (i.e. harder to crack) than a simple message digest.

For example, in your server.xml:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
       resourceName="UserDatabase">
   <CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler"
                      algorithm="PBKDF2WithHmacSHA512"
                      keyLength="256"
   />
</Realm>

With this configuration, use the following to generate the hashed output from your password:

 $CATALINA_HOME/bin/digest.sh -a "PBKDF2WithHmacSHA512" -i 100000 -s 16 -k 256 -h "org.apache.catalina.realm.SecretKeyCredentialHandler" "YOUR_PASSWORD"

with the iteration-count and salt-size (in bytes) of your choosing. Note that the key length need to be the same as defined in server.xml because of bug 60446. It should be fixed pretty soon upstream though.

WARNING! Please ensure your password does not get saved in your shell's command history. In bash this is achieved by preceding the command with an empty space.

The command will output your password in plain-text and a hex-representation of the resulting credentials, which you should use as your password attribute in your tomcat-users.xml.

Documentation for the CredentialHandler component can be found here. The possible values for the algorithm attribute can be found here.