Re: encrypting passwords in tomcat-users.xml

Wed, 22 Nov 2017 10:50:40 -0800

Maybe I should ask this in a different way: what are the steps to use encrypted passwords in tomcat-users.xml under Tomcat 8.0.14? I know what they are in Tomcat 8.0.37. They're both versions of Tomcat 8.0.x, so why does something that works in one not work in the other? Does the server.xml configuration need to be different? 

Here are some specifics on how I'm running digest.sh.
As you will see, they are different. The newer version has more arguments, and produces a different output, in the format salt$iterations$digest. 

First, on Mac with apache-tomcat-8.0.37:

% ./digest.sh secret
secret:304fb189dd47d028f892f95a0d9a2c8d707b24d72474b62e78d30401a7cc05b6$1$a299b9b24fdaf7219500ad39f21cea319fdce2a99d175c263ab16bd89c428ffdbafea125f9559a4be9081b5955c35574dae002fb2b32b1acccdef9c77a81fb2e 
% ./digest.sh
Usage: RealmBase [-a <algorithm>] [-e <encoding>] [-i <iterations>] [-s <salt-length>] [-k <key-length>] [-h <handler-class-name>] <credentials>
I believe this is defaulting to SHA-512 as per the docs and the fact that it worked when I configured the Realm to use SHA-512 with the CredentialHandler. 

Next, on Linux with apache-tomcat-8.0.14-1:

# ./digest.sh secret
Usage: RealmBase -a <algorithm> [-e <encoding>] <credentials>
# ./digest.sh -a SHA-512 secret
secret:bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d682ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2
So, something in the underlying RealmBase class is different, and I can't get this output (or anything) to work on this server. There's also a warning in the log:
org.apache.tomcat.util.digester.Digester.endElement No rules found matching 'Server/Service/Engine/Realm/Realm/CredentialHandler'.
which leads me to believe the server.xml configuration needs to be different for this version too. However, none of this is indicated in the documentation. I'm at a complete loss. 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to