You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Guy Mac <gu...@arizona.edu> on 2017/11/20 18:23:06 UTC

encrypting passwords in tomcat-users.xml

I'm failing to figure out how to encrypt passwords for (slightly) 
different versions of Tomcat 8.0.x on different platforms.

With Tomcat 8.0.37 on MacOS, I run digest.sh with a password, placing 
the output in tomcat-users, and update the Realm for the Catalina engine to:
       <Realm className="org.apache.catalina.realm.LockOutRealm">
         <Realm className="org.apache.catalina.realm.UserDatabaseRealm" 
resourceName="UserDatabase">
           <CredentialHandler 
className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
algorithm="SHA-512"/>
         </Realm>
       </Realm>

and that all works just fine.

But when I try to repeat the steps for Tomcat 8.0.14-1 on Linux 
(Debian), it does not work. How do I encrypt passwords for this version 
of Tomcat?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: encrypting passwords in tomcat-users.xml

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Guy,

On 11/20/17 1:23 PM, Guy Mac wrote:
> I'm failing to figure out how to encrypt passwords for (slightly) 
> different versions of Tomcat 8.0.x on different platforms.

Some background: older versions of Tomcat only supported single-round
hashing such as MD5, SHA-1, SHA-256, etc. and the newer versions
support many more options including pluggable modules to do whatever
you want. Most people will be able to use the baked-in modules to get
what they want, but you can build your own if you need something special
.

> With Tomcat 8.0.37 on MacOS, I run digest.sh with a password,
> placing the output in tomcat-users

Specifically, how do you run this?

> , and update the Realm for the Catalina engine to: <Realm
> className="org.apache.catalina.realm.LockOutRealm"> <Realm
> className="org.apache.catalina.realm.UserDatabaseRealm" 
> resourceName="UserDatabase"> <CredentialHandler 
> className="org.apache.catalina.realm.MessageDigestCredentialHandler"
>
> 
algorithm="SHA-512"/>
> </Realm> </Realm>
> 
> and that all works just fine.

Good.

> But when I try to repeat the steps for Tomcat 8.0.14-1 on Linux 
> (Debian), it does not work. How do I encrypt passwords for this
> version of Tomcat?

The process should should be the same, and the hash should be the same
no matter what what version of Tomcat you use to produce it, and no
matter what platform you use.

- From a Tomcat 7.0.x install:

$ $CATALINA_HOME/bin/digest.sh -a SHA-512 's3cret'
s3cret:1ec1c26b50d5d3c58d9583181af8076655fe00756bf7285940ba3670f99fcba0

[Note that if you put that on the command-line it will be in your
shell's history for anyone to see. Try using a leading space character
to keep some shells from keeping the command in the history.]

- From a Tomcat 8.0.x install:
$ $CATALINA_HOME/bin/digest.sh -a SHA-256 s3cret
s3cret:46e78df675f5842ebca3f67679a3ce14fd3ddb08727feacba84935f58914d49b$
1$4e72031fe6f751d3b2390cd494971b8bf27cccf41f5ea8d7f56272f15b091207

Wait, what?! It turns out that Tomcat 8.0.x uses a salted, iterated
hash by default and so you get (a) more protection and (b) more stuff
coming out.

If you want to get the same thing you got from Tomcat 7.0.x, you'll
need some additional command-line arguments:

$ $CATALINA_HOME/bin/digest.sh -a SHA-256 -i 1 -s 0 s3cret
s3cret:1ec1c26b50d5d3c58d9583181af8076655fe00756bf7285940ba3670f99fcba0

This is true of Tomcat 8.5.x and Tomcat 9.0.x as well.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloTTrIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFifYQ/+L8MPYoTQDLmFOnJF
uQHnuB8HPJZjde9jCCx4cGsnPFiMUk9aiefqNwAskyl4AhJt/AStSW2kEHUf483O
UxBsfAcgzuwxeUFiJGzIRKgzX7ziAgBrKisGM5hBDmu3NYwtIdkKWpwrPLhm9fsy
YPzj9Xo/iTDXvEA2fjlNvHuGMfNNruYL/dxfLmCeWfQrQ4eZIU3j/nAouvhXP3YY
+x076mU700+A7MgLt4xJXVthyvCZbxWF7LspSA5J9L3/05KUWOoR25xjJ84dX3g2
laR9q8GE8Y4+LvU5zJpgZ2sHsFaVpqksoU2lD8p4tQsOix3XILt7+/oBlipil4mG
k9FI17e3AQH9LqAajzPwU6QFKxIRsAoS4BS3fWc80f4O7np9ouqZ3Dwa62ctLG+Z
PBx4ra1BNoBPkmetGzHE1bFzn5hQf+0Lrq0XXt/cp5Uyqk/0123YtEvpc6J0T+YC
3gNAJyYHOvf6TBASFN8ve5fBesL1g7X5Qtk4IOu/C4vWEK+Tu02b3ewNPX/rMCGX
Pf9JiBxqA4qGhN0pNyygxM7rlAoo5bdcPwxd+pFDmnYtPbw6QGpRrnyUVuuqOhVS
WxB5FwJhXkjv4cMKkw0bgEcBvdzJOZumfMQh0SRsHJz0JhjeYuJJ8qpXZ13Ab7lt
iRkZejsgB1R37ufhutqOoOpbLN4=
=T2tz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org