On Ubuntu 10.04.3 LTS, after installing Tomcat 6, the way to add a manager / admin account is to add a record like this to /etc/tomcat6/tomcat-users.xml:
<role rolename="manager"/>
<role rolename="admin"/>
<user username="user" password="password" roles="manager,admin"/>
That password is in plaintext, and I'm not comfortable with that. Is there a way to use something like a hash instead? If you have a non-Ubuntu solution, I can probably translate it.
Taken from this page
server.xml with a hash algorithm as value (possible values are for example md5, sha-1 or sha-256, where the latter is strongly recommended).$CATALINE_HOME/bin/digest.sh -a <YOUR_HASH_ALGORITHM> <YOUR_PASSWORD><YOUR_PASSWORD>:<ENCRYPTED_PASSWORD>password attribute in your tomcat-users.xml to <ENCRYPTED_PASSWORD>See also: Tomcat digest password
For anyone coming here looking for information about Tomcat 8.0.15 or newer, you should probably use SecretKeyCredentialHandler with PBKDF2 instead, since it's much more secure (i.e. harder to crack) than a simple message digest.
For example, in your server.xml:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler"
algorithm="PBKDF2WithHmacSHA512"
keyLength="256"
/>
</Realm>
With this configuration, use the following to generate the hashed output from your password:
$CATALINA_HOME/bin/digest.sh -a "PBKDF2WithHmacSHA512" -i 100000 -s 16 -k 256 -h "org.apache.catalina.realm.SecretKeyCredentialHandler" "YOUR_PASSWORD"
with the iteration-count and salt-size (in bytes) of your choosing. Note that the key length need to be the same as defined in server.xml because of bug 60446. It should be fixed pretty soon upstream though.
WARNING! Please ensure your password does not get saved in your shell's command history. In bash this is achieved by preceding the command with an empty space.
The command will output your password in plain-text and a hex-representation of the resulting credentials, which you should use as your password attribute in your tomcat-users.xml.
Documentation for the CredentialHandler component can be found here. The possible values for the algorithm attribute can be found here.
1) Generate password: /bin>digest.bat -s 0 -a sha-256
Example: /bin>digest.bat -s 0 -a sha-256 admin
Password to use is: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
*Important note: You must use “-s 0 “(salt 0) or it won’t work.
2) paste password above into your tomcat-users.xml file.
Example:
<!-- for password “admin” -->
<user username="tomcat" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" roles="manager-gui,manager,admin"></user>
3) configure server.xml to use SHA-256 digest hashed based passwords:
4) configure your web.xml to use “DIGEST” passwords and update RealmName to match above (in the HTMLManager section)
<catalina_home>/webapps/manager\WEB-INF\web.xml
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>
Full context:
<servlet>
<servlet-name>HTMLManager</servlet-name>
<servlet-class>org.apache.catalina.manager.HTMLManagerServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>2</param-value>
</init-param>
… SNIPPED_FOR_BREVITY ...
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>
<multipart-config>
<!-- 50MB max -->
<max-file-size>52428800</max-file-size>
<max-request-size>52428800</max-request-size>
<file-size-threshold>0</file-size-threshold>
</multipart-config>
</servlet>
