tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: encrypting passwords in tomcat-users.xml
Date Thu, 23 Nov 2017 05:27:47 GMT
Hash: SHA256


On 11/22/17 5:52 AM, Dimas Souza wrote:
> Hi Christopher,
> I've been trying to figure out this issues as well, thank you for 
> your answer, it has clarified some questions of my own.
> I still have a question about your answer though, see below:
> On 11/20/17 10:53 PM, Christopher Schultz wrote:
>> Guy,
>> On 11/20/17 1:23 PM, Guy Mac wrote:
>>> I'm failing to figure out how to encrypt passwords for
>>> (slightly) different versions of Tomcat 8.0.x on different
>>> platforms.
>> Some background: older versions of Tomcat only supported
>> single-round hashing such as MD5, SHA-1, SHA-256, etc. and the
>> newer versions support many more options including pluggable
>> modules to do whatever you want. Most people will be able to use
>> the baked-in modules to get what they want, but you can build
>> your own if you need something special .
>>> With Tomcat 8.0.37 on MacOS, I run with a password, 
>>> placing the output in tomcat-users
>> Specifically, how do you run this?
>>> , and update the Realm for the Catalina engine to: <Realm 
>>> className="org.apache.catalina.realm.LockOutRealm"> <Realm 
>>> className="org.apache.catalina.realm.UserDatabaseRealm" 
>>> resourceName="UserDatabase"> <CredentialHandler 
>>> className="org.apache.catalina.realm.MessageDigestCredentialHandler"
>>> </Realm> </Realm>
>>> and that all works just fine.
>> Good.
>>> But when I try to repeat the steps for Tomcat 8.0.14-1 on
>>> Linux (Debian), it does not work. How do I encrypt passwords
>>> for this version of Tomcat?
>> The process should should be the same, and the hash should be the
>> same no matter what what version of Tomcat you use to produce it,
>> and no matter what platform you use.
>> From a Tomcat 7.0.x install:
>> $ $CATALINA_HOME/bin/ -a SHA-512 's3cret' 
>> s3cret:1ec1c26b50d5d3c58d9583181af8076655fe00756bf7285940ba3670f99fcb
[Note that if you put that on the command-line it will be in your
>> shell's history for anyone to see. Try using a leading space
>> character to keep some shells from keeping the command in the
>> history.]
>> From a Tomcat 8.0.x install: $ $CATALINA_HOME/bin/ -a
>> SHA-256 s3cret 
>> s3cret:46e78df675f5842ebca3f67679a3ce14fd3ddb08727feacba84935f58914d4
>> Wait, what?! It turns out that Tomcat 8.0.x uses a salted,
>> iterated hash by default and so you get (a) more protection and
>> (b) more stuff coming out.
>> If you want to get the same thing you got from Tomcat 7.0.x,
>> you'll need some additional command-line arguments:
>> $ $CATALINA_HOME/bin/ -a SHA-256 -i 1 -s 0 s3cret 
>> s3cret:1ec1c26b50d5d3c58d9583181af8076655fe00756bf7285940ba3670f99fcb
This is true of Tomcat 8.5.x and Tomcat 9.0.x as well.
> Since you had to put some more arguments to generate the digest,
> are they also necessary on the server.xml file?

That depends upon what specifically you are trying to do. If you
expect to use Tomcat 8.0.x or later and don't have to support an older
version, then I'd recommend using PBKDF2 as your algorithm and simply
sticking with that.

If you have an existing user database, then it's possible to use the
existing algorithm alongside of a better one (such as salted/iterated
SHA-2 or PBKDF2). Have a look at this presentation for some details:

You can find that presentation linked from the Tomcat Presentations page

- -chris
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message