How to encrypt passwords in the Tomcat server.xml file

Posted on by Matthew Skelton (@matthewskelton)

By default, Tomcat stores passwords in server.xml in clear text, which can lead to obvious security lapses.

The easiest way to mitigate against user account compromise is to use a password digest (SHA, MD2 or MD5 are supported).

With $CATALINA_HOME/lib/catalina.jar and $CATALINA_HOME/bin/tomcat-juli.jar on your class path, just use the following to generate the digested passwords:

java org.apache.catalina.realm.RealmBase \
   -a {algorithm} {cleartext-password}

The digest technique works by having the incoming clear text password (as entered by the user) digested, and the results compared to the stored digested password. If the Two digests match, the password entered by the user must be correct, and the authenticate() method of the Realm succeeds.

3 thoughts on “How to encrypt passwords in the Tomcat server.xml file

  2. Tomcat server.xml file allow us to configure Tomcat using a simple xml descriptor which are the heart of Tomcat. With digested passwords, two convenience techniques are used for encryption one is call the static Digest while writing an application and second is execute and digested version of this clear text password.

    Reply

  3. There are lots of chances for the data being corrupted using the log-in credentials. So the need of the hour is to safeguard the exposed user-name and password through some means. And the password digest technique from Tomcat really works.

    Reply

Join the discussion...

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.