tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: encrypting passwords in tomcat-users.xml
Date Thu, 23 Nov 2017 17:04:06 GMT
Hash: SHA256


On 11/22/17 1:50 PM, Guy wrote:
> Maybe I should ask this in a different way: what are the steps to
> use encrypted passwords in tomcat-users.xml under Tomcat 8.0.14?

Note that the passwords aren't "encrypted" per se (that is, they are not
using reversible encryption), but they have been modified such that they
cannot be recovered. This is known as a "secure hash" -- even when it's
more complicated than that ... such as using PBKDF2, bcrypt, etc. They
are essentially the same basic idea, but the PBKDF2s of the world add a
bunch of other features to strengthen the key and add complexity to the
process to yield a higher-quality stored credential (the thing that you
put into the tomcat-users.xml file).

> I know what they are in Tomcat 8.0.37. They're both versions of 
> Tomcat 8.0.x, so why does something that works in one not work in
> the other? Does the server.xml configuration need to be different?
That depends upon what you want to do.

> Here are some specifics on how I'm running
> As you will see, they are different. The newer version has more 
> arguments, and produces a different output, in the format 
> salt$iterations$digest.

Yes. This reflects the current default operation of, but the
credential handlers ought to be backward-compatible so if you use a
digest with no salt and no iteration count, the newer version of Tomcat
should be able to use it without a problem. A salted, iterated hash is
more secure than one that isn't, which is why the default operation has
been changed.

> First, on Mac with apache-tomcat-8.0.37:
> % ./ secret 
> secret:304fb189dd47d028f892f95a0d9a2c8d707b24d72474b62e78d30401a7cc05b

version of Tomcat is significant, but the OS is not. This isn't a
Mac-vs-Linux thing.

> % ./ Usage: RealmBase [-a <algorithm>] [-e <encoding>] [-i
> <iterations>] [-s <salt-length>] [-k <key-length>] [-h
> <handler-class-name>] <credentials>
> I believe this is defaulting to SHA-512 as per the docs and the
> fact that it worked when I configured the Realm to use SHA-512 with
> the CredentialHandler.


> Next, on Linux with apache-tomcat-8.0.14-1:
> # ./ secret Usage: RealmBase -a <algorithm> [-e
> <encoding>] <credentials> # ./ -a SHA-512 secret 
> secret:bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d6
> So, something in the underlying RealmBase class is different, and
> I can't get this output (or anything) to work on this server.
> There's also a warning in the log:
> org.apache.tomcat.util.digester.Digester.endElement   No rules
> found matching
> 'Server/Service/Engine/Realm/Realm/CredentialHandler'.
> which leads me to believe the server.xml configuration needs to be 
> different for this version too. However, none of this is indicated
> in the documentation. I'm at a complete loss.

Pluggable CredentialHandlers (and the significant upgrades to the
authentication system including support for salts and iterations for
"basic" crypto hashes) weren't added until Tomcat 8.0.15 [1], so you
won't be able to use those.

If you need to be able to use the same configuration for both Tomcat
8.0.14 and Tomcat 8.0.37, then you'll need to use the non-salted
non-iterated hashes supported by the older version. If you want to be
able to generate those hashes with Tomcat 8.0.37 and use them with
Tomcat 8.0.14, then you'll need to use some more command-like
arguments to generate a backward-compatible hash:

$ ./ -s 0 -i 1 secret

If you set the salt-length to zero (bytes) and the iteration count to
1, you'll get a hash that matches what Tomcat 8.0.14 would have produced

Hope that helps,
- -chris


Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message