19

On Ubuntu 10.04.3 LTS, after installing Tomcat 6, the way to add a manager / admin account is to add a record like this to /etc/tomcat6/tomcat-users.xml:

<role rolename="manager"/>
<role rolename="admin"/>
<user username="user" password="password" roles="manager,admin"/>

That password is in plaintext, and I'm not comfortable with that. Is there a way to use something like a hash instead? If you have a non-Ubuntu solution, I can probably translate it.

John Whitlock
  • 1,037
  • 2
  • 9
  • 14

3 Answers3

15

Taken from this page

  1. add "digest" attribute on your element in server.xml with a hash algorithm as value (possible values are for example md5, sha-1 or sha-256, where the latter is strongly recommended).
  2. Run $CATALINE_HOME/bin/digest.sh -a <YOUR_HASH_ALGORITHM> <YOUR_PASSWORD>
  3. You will get an output in the following form <YOUR_PASSWORD>:<ENCRYPTED_PASSWORD>
  4. Replace value of user's password attribute in your tomcat-users.xml to <ENCRYPTED_PASSWORD>
  5. restart tomcat

See also: Tomcat digest password

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Alex
  • 3,079
  • 20
  • 28
  • 1
    +1, but eek at the MD5. Use `"sha-1"` or `"sha-256"`, if it'll work. – Shane Madden Jul 29 '11 at 19:47
  • 1
    In Tomcat 7 there is now a digest.bat in the bin directory to do this. Example : `digest.bat -a "md5" ` – Zasz Aug 21 '11 at 18:45
  • 1
    This is incompleted for Tomat 8.5.x. See my comment below for full steps. You must also modify your realm in the server.xml as well as in the web.xml authentication method. – atom88 Jun 15 '17 at 16:40
9

For anyone coming here looking for information about Tomcat 8.0.15 or newer, you should probably use SecretKeyCredentialHandler with PBKDF2 instead, since it's much more secure (i.e. harder to crack) than a simple message digest.

For example, in your server.xml:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
       resourceName="UserDatabase">
   <CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler"
                      algorithm="PBKDF2WithHmacSHA512"
                      keyLength="256"
   />
</Realm>

With this configuration, use the following to generate the hashed output from your password:

 $CATALINA_HOME/bin/digest.sh -a "PBKDF2WithHmacSHA512" -i 100000 -s 16 -k 256 -h "org.apache.catalina.realm.SecretKeyCredentialHandler" "YOUR_PASSWORD"

with the iteration-count and salt-size (in bytes) of your choosing. Note that the key length need to be the same as defined in server.xml because of bug 60446. It should be fixed pretty soon upstream though.

WARNING! Please ensure your password does not get saved in your shell's command history. In bash this is achieved by preceding the command with an empty space.

The command will output your password in plain-text and a hex-representation of the resulting credentials, which you should use as your password attribute in your tomcat-users.xml.

Documentation for the CredentialHandler component can be found here. The possible values for the algorithm attribute can be found here.

Niklas Holm
  • 191
  • 1
  • 6
0

1) Generate password: /bin>digest.bat -s 0 -a sha-256

Example: /bin>digest.bat -s 0 -a sha-256 admin

Password to use is: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918

*Important note: You must use “-s 0 “(salt 0) or it won’t work.

2) paste password above into your tomcat-users.xml file.

Example:

<!-- for password “admin” -->
<user username="tomcat" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" roles="manager-gui,manager,admin"></user>

3) configure server.xml to use SHA-256 digest hashed based passwords:

4) configure your web.xml to use “DIGEST” passwords and update RealmName to match above (in the HTMLManager section)

 <catalina_home>/webapps/manager\WEB-INF\web.xml

    <login-config>
        <auth-method>DIGEST</auth-method>
        <realm-name>UserDatabase</realm-name> 
    </login-config>

Full context:
  <servlet>
    <servlet-name>HTMLManager</servlet-name>
    <servlet-class>org.apache.catalina.manager.HTMLManagerServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>2</param-value>
    </init-param>

… SNIPPED_FOR_BREVITY ...   

    <login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>UserDatabase</realm-name>
  </login-config>

    <multipart-config>
      <!-- 50MB max -->
      <max-file-size>52428800</max-file-size>
      <max-request-size>52428800</max-request-size>
      <file-size-threshold>0</file-size-threshold>
    </multipart-config>
  </servlet>
atom88
  • 111
  • 2
  • You're confusing DIGEST auth with hashed passwords. The question is about using hashed passwords with BASIC auth. – rustyx Sep 13 '17 at 13:08