How to Encrypt passwords specified in tomcat-user.xml in EWS?

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise WebServer (EWS)
    • 2.0.1
    • 3.x
    • 5.x
    • 6.x

Issue

  • There are users specified with their passwords in $TOMCAT_HOME/conf/tomcat-users.xml, these users are part of authentication for accessing the web applications. How to Encrypt these passwords specified tomcat-user.xml in EWS 2.0.1?
  • How to mask Clear text password in Tomcat configuration file like tomcat-users.xml ?

Resolution

  • There is a file named digest.sh within the bin directory as follows, that can be used to mask passwords:-
$TOMCAT_HOME/bin/digest.sh

Note: In the rpm installation, the script is named tomcat-digest and it is located in /opt/rh/jws(5|6)/root/usr/bin directory.

  • The following steps were taken to encrypt the password:-

    • Encrypt using $TOMCAT_HOME/bin/digest.sh as follows1:-
    [krathod@dhcp223-150 bin]$ ./digest.sh -a SHA1 password
 password:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
    • Add the SHA1 algorithm in $TOMCAT_HOME/conf/server.xml as follows:-
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
    digest="SHA1" resourceName="UserDatabase"/>
</Realm>
    • The $TOMCAT_HOME/conf/tomcat-users.xml should have the following:-
    <role rolename="TomcatAdmin"/>
<user username="jboss" password="5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" roles="TomcatAdmin"/>
    • The web.xml(in FormBasedSecurity web application uploaded in testcase.zip) usually looks like follows:-
    <security-constraint>    
  <web-resource-collection>
     <web-resource-name>MySecuredResource-1</web-resource-name>
     <url-pattern>/secured/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
      <role-name>TomcatAdmin</role-name>
  </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/loginfail.jsp</form-error-page>
  </form-login-config>
</login-config>

<security-role>
  <role-name>TomcatAdmin</role-name>
</security-role>

  • With this when hitting http://localhost:8080/FormBasedSecurity/secured/showPrivateData.jsp you will be successfully able to access the page with username as jboss and password as password.

  • The following files have been uploaded in the file testcase.zip for your reference:-

    • testcase.zip/conf/server.xml
    • testcase.zip/conf/tomcat-users.xml
    • testcase/FormBasedSecurity (web application)

  1. Note that you can also use SHA instead of SHA1, however then you will need to specify the command as ./digest.sh -a SHA password and you will need to specify SHA also in $TOMCAT_HOME/conf/server.xml↩︎

Attachments

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments