You could also take a look at tomcat-vault (https://github.com/picketbox/tomcat-vault).
On Wed, Sep 14, 2016 at 5:37 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Brian, > > On 9/14/16 3:40 PM, Paquin, Brian wrote: >> I was able to setup Tomcat 8.0.35 to use a SHA hashed password in >> tomcat-users.xml (trying to secure the Manager app a bit more), >> but the same setup does not work on 8.5.5. >> >> Is there something I need to change to get this to work again? > > Yes. > >> server.xml engine: <Engine name="Catalina" >> defaultHost="localhost"> <Realm >> className="org.apache.catalina.realm.LockOutRealm" failureCount="3" >> lockOutTime="600" cacheSize="1000" cacheRemovalWarningTime="3600"> >> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" >> resourceName="UserDatabase"/> </Realm> <Host name="localhost" >> appBase="webapps" unpackWARs="true" autoDeploy="true" >> deployXML="true"> <Realm >> className="org.apache.catalina.realm.MemoryRealm" digest="SHA" /> >> <Valve className="org.apache.catalina.valves.AccessLogValve" >> directory="logs" prefix="localhost_access_log" suffix=".txt" >> pattern="%h %l %u %t "%r" %s %b" /> >> >> Command to generate hash that was used as the user’s password in >> tomcat-users.xml: /usr/local/tomcat/bin/digest.sh -a SHA >> my_password >> >> In 8.5.5, I can login to Manager if I replace the SHA hash with >> the plaintext version of the password… >> >> I read through >> https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html, but >> still can’t get it to work. > > Have a look at http://tomcat.apache.org/migration-85.html, > specifically http://tomcat.apache.org/migration-85.html#Internal_APIs > > Note that SHA passwords are no better than plaintext passwords. If you > want to *actually* add some security, you need to at least use salted > passwords. Better yet, use a PBKDF. > > You might want to have a look at this presentation: > http://people.apache.org/~schultz/ApacheCon%20NA%202016/Seamless%20Upgra > des%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJX2cL/AAoJEBzwKT+lPKRYm7AP/jW9ux3JM/zsSJjPymE/xPMw > /mpI1Jh2kCViRA+wF9vWcuuHN/T/ib5MwinYdZnqwvtddRQUoBY5jKKcjieJWhFo > UwdSZGmXGHOtJMyB+9DPIo17HuuSmxMNXDILCAaMd8pXvKZgsPJv4x9/lPC5uHyJ > SpSJ9vcc6NKDzQq8AV/F9Q17HCaGPkl1Vi2d+Sbpvcm5vdqgKcDlGcOe6exUlIWP > pMiOkvo+hEG77WpGKz1E2C0gBz3O1vs2AKwzWP3gmh10NinUNvfzPY9iqAylFNAq > c5Mk+rvliCcQWss+O54IfbVO2dYElbcy3hktn4X7h1UOxSuw6qGJ3HeKsUBKlIho > 5rL9J8nwkF+lechxVgdh4Q8CWJVZ5AsicmwMnd88o00TG8fO0XAb3oM496I0meLg > xeiOTexg8S0RPLVFnCQ8mckaeTVzooLzuezJLAXO4YUnEZJHPrehR+ZL8Oblk6Fa > 102AA+LFpCkW1L0JEFMrpCzmEc3Ue6VMVPeNorfTv/u2MBFfM+hpR0kmeDURUoA8 > C+i0Z4GHxRVL7M96ba2Irxs4eNkCV2v9IvCsgnz3LTXKuAggd/6dCTEPYEkE2sTO > Tju+To9xWVudj6gwmya7SfNeKxb4PECBP4NgD5uRoljNDJNW1Eu80m7C2cxRGao8 > LXmKRsuWXsrTt6OOA9wZ > =2Z2D > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org