When configuring Tomcat 6 on Ubuntu (or any system), the default authentication mechanism in tomcat-users.xml requires passwords in plaintext:
<user username="admin" password="secret123" roles="manager,admin"/>This presents serious security risks, especially when the file might be exposed during backups or version control commits. Let's explore proper password hashing solutions.
Tomcat supports digest authentication through the DigestCredentialHandler. Here's how to implement it:
- First, generate a hashed password using Tomcat's utility:
CATALINA_HOME/bin/digest.sh -a SHA-256 "secret123"
# Output: secret123:ab4f63f9ac65152575886860dde480a1- Modify your
tomcat-users.xml:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="SHA-256"/>
</Realm>
<user username="admin"
password="ab4f63f9ac65152575886860dde480a1"
roles="manager,admin"/>For stronger security, implement BCrypt hashing:
// Custom Realm implementation snippet
public class BCryptRealm extends RealmBase {
@Override
protected String getPassword(String username) {
// Fetch hashed password from your storage
return storedHashes.get(username);
}
@Override
protected Principal getPrincipal(String username) {
return new GenericPrincipal(username, getPassword(username), getRoles(username));
}
}Configure in server.xml:
<Realm className="com.yourpackage.BCryptRealm"/>When transitioning existing installations:
- Create a script to hash all existing passwords
- Test authentication thoroughly before deploying
- Consider implementing a dual-authentication period
- Always use strong hashing algorithms (SHA-256 or better)
- Combine with SSL/TLS for transport security
- Regularly rotate credentials even when hashed
- Consider external credential storage (LDAP, database)
For production environments, I recommend combining this with container-managed security or integrating with enterprise authentication systems.
In a default Tomcat 6 installation on Ubuntu, user credentials are stored in tomcat-users.xml with passwords in plaintext format. This poses significant security risks:
<user username="admin" password="secret123" roles="manager,admin"/>
Any compromise of server access would expose all credentials immediately. For production systems, we should implement password hashing.
Tomcat supports password hashing through its Realm implementation. Here's how to configure it:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"
digest="SHA-256"/>
Use Tomcat's digest utility to create hashed passwords:
$CATALINA_HOME/bin/digest.sh -a SHA-256 -s 0 -i 1 yourpassword
or on Windows:
%CATALINA_HOME%\bin\digest.bat -a SHA-256 yourpassword
Modify your user definition to use the hashed value:
<user username="admin"
password="a59a8e27568b0407be98f6b2280d6a3b47f8e0726c0b82e34cf7dc6b87307e3"
roles="manager,admin"/>
For more advanced setups, consider using JDBCRealm with a proper database:
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost/authority"
userTable="users" userNameCol="username" userCredCol="password"
userRoleTable="user_roles" roleNameCol="role"
digest="SHA-256"/>
For maximum flexibility, implement a custom Realm:
public class CustomRealm extends RealmBase {
@Override
protected String getName() { return "CustomRealm"; }
@Override
protected String getPassword(String username) {
// Retrieve hashed password from your storage
}
@Override
protected Principal getPrincipal(String username) {
return new GenericPrincipal(username, getPassword(username), getRoles(username));
}
}
- Always use strong hashing algorithms (SHA-256 or better)
- Consider adding salt to your hashes
- Regularly rotate credentials
- Implement proper access controls for tomcat-users.xml