tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dimas Souza <>
Subject Re: encrypting passwords in tomcat-users.xml
Date Wed, 22 Nov 2017 10:52:38 GMT
Hi Christopher,

I've been trying to figure out this issues as well, thank you for
your answer, it has clarified some questions of my own.

I still have a question about your answer though, see below:

On 11/20/17 10:53 PM, Christopher Schultz wrote:

>On 11/20/17 1:23 PM, Guy Mac wrote:
>> I'm failing to figure out how to encrypt passwords for (slightly)
>> different versions of Tomcat 8.0.x on different platforms.
>Some background: older versions of Tomcat only supported single-round
>hashing such as MD5, SHA-1, SHA-256, etc. and the newer versions
>support many more options including pluggable modules to do whatever
>you want. Most people will be able to use the baked-in modules to get
>what they want, but you can build your own if you need something special
>> With Tomcat 8.0.37 on MacOS, I run with a password,
>> placing the output in tomcat-users
>Specifically, how do you run this?
>> , and update the Realm for the Catalina engine to: <Realm
>> className="org.apache.catalina.realm.LockOutRealm"> <Realm
>> className="org.apache.catalina.realm.UserDatabaseRealm"
>> resourceName="UserDatabase"> <CredentialHandler
>> className="org.apache.catalina.realm.MessageDigestCredentialHandler"
>> </Realm> </Realm>
>> and that all works just fine.
>> But when I try to repeat the steps for Tomcat 8.0.14-1 on Linux
>> (Debian), it does not work. How do I encrypt passwords for this
>> version of Tomcat?
>The process should should be the same, and the hash should be the same
>no matter what what version of Tomcat you use to produce it, and no
>matter what platform you use.
>From a Tomcat 7.0.x install:
>$ $CATALINA_HOME/bin/ -a SHA-512 's3cret'
>[Note that if you put that on the command-line it will be in your
>shell's history for anyone to see. Try using a leading space character
>to keep some shells from keeping the command in the history.]
>From a Tomcat 8.0.x install:
>$ $CATALINA_HOME/bin/ -a SHA-256 s3cret
>Wait, what?! It turns out that Tomcat 8.0.x uses a salted, iterated
>hash by default and so you get (a) more protection and (b) more stuff
>coming out.
>If you want to get the same thing you got from Tomcat 7.0.x, you'll
>need some additional command-line arguments:
>$ $CATALINA_HOME/bin/ -a SHA-256 -i 1 -s 0 s3cret
>This is true of Tomcat 8.5.x and Tomcat 9.0.x as well.

Since you had to put some more arguments to generate the digest, are they also
necessary on the server.xml file?

>Hope that helps,

Thanks in advance,

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message