Re: Tomcat 9.0.x securing db credentials in server.xml

[Christopher Schultz]

Brian,

On 1/24/26 11:08 AM, Brian Wolfe wrote:
If you're running your application via kubernetes then you just need to use
kubernetes secrets which get mounted into the container as files to a
directory you specify. Then tomcat merely needs to reference the file.
There is no point in encrypting the secrets and having tomcat decrypt them.
Its the job of kubernetes to secure the secrets api. Your job is to protect
the secrets from the application level.

Protecting the secrets from the application level is nearly impossible.

What Kubernetes does is protect the secrets from the developer... 
assuming that the developer doesn't put code into the application that 
extracts those secrets and sends them ... wherever.

-chris

On Sat, Jan 24, 2026 at 10:19 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

Jon,

On 1/21/26 2:53 PM, Mcalexander, Jon J. via users wrote:
Can this be used to pull in any values, like in the
Catalina.properties and set that value to a variable? Just throwing
things at the wall to see what sticks. 😊
I don't *think* so.


https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html#Property_replacements
says it's only XML files, though, so you might want to verify yourself.

The same PropertySource should be used to resolve things that look like
ant-style property references in pretty much any XML file Tomcat parses.

It should be easy to verify, since you can define any property you want
in catalina.properties and then just check System.getProperty() once the
container has started.

If PropertySource is used for files other than XML, then we should
change the documentation. But my sense is that the documentation is
accurate.

-chris

From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Wednesday, January 21, 2026 12:48 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 9.0.x securing db credentials in server.xml




Dineshk,



On 1/21/26 4:36 AM, dineshk via users wrote:

Would like to know the recommended approach to secure the db
credentials in Tomcat , defined in server.xml file . The application could
be deployed on AKS or as normal on premises deployment.

Is there any recommended common solution? If not , what recommended
approach in each case .

Please let me know . It would be really helpful.



While I wholeheartedly agree with Mark's separate response, since you

mentioned AKS, I want to draw your attention to an apparently

little-used component of Tomcat:




https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html*Property_replacements__;Iw!!F9svGWnIaVPGSwU!u_LCWWE3YwNUQr7YGC0HxCMrnAQPVDMv_7FcyFWxFTcEYF-PIgUiIo5092B5O9eNZ6TklNBfhWYL34W2Zv82m6e21Cd7L3cY$
<
https://urldefense.com/v3/__https:/tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html*Property_replacements__;Iw!!F9svGWnIaVPGSwU!u_LCWWE3YwNUQr7YGC0HxCMrnAQPVDMv_7FcyFWxFTcEYF-PIgUiIo5092B5O9eNZ6TklNBfhWYL34W2Zv82m6e21Cd7L3cY$




There is a reference to the ServiceBindingPropertySource which is a

Tomcat component that can be used with resources extracted from e.g.

Kubernetes before Tomcat starts. To be clear: Tomcat does NOT

communicate with AKS directly, but if your deployment drops

environmental files to the disk using the servicebinding.io spec, then

you can just reference those files directly from your e.g. server.xml
file.



For example, I don't use Kubernetes, but I have this working in my

environment for JDBC connections:



     <Resource name="${chomp:myapp.jdbc-datasource:-jdbc/conn}"

           auth="Container"

           type="javax.sql.DataSource"

           defaultAutoCommit="true"

           initialSize="1"

           maxTotal="1"

           maxIdle="1"

           maxWaitMillis="10000"

           url="${chomp:myapp.jdbc-url}"

           username="${chomp:myapp.jdbc-username:-scott}"

           password="${chomp:myapp.jdbc-password:-tiger}"




driverClassName="${chomp:myapp.jdbc--driver-class-name:-com.mysql.jdbc.Driver}"

        ... />



Then I have these files in my SERVICE_BINDING_ROOT directory:



/Users/chris/.webapps/service-binding-root

myapp

myapp/jdbc-url

myapp/jdbc-username



I also have this file as well so I can customize the "samesite" setting

in various environments:

myapp/cookies-samesite



There is more documentation in the ServiceBindingPropertySource class

javadoc, which you can find here:


https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/tomcat/util/digester/ServiceBindingPropertySource.html__;!!F9svGWnIaVPGSwU!u_LCWWE3YwNUQr7YGC0HxCMrnAQPVDMv_7FcyFWxFTcEYF-PIgUiIo5092B5O9eNZ6TklNBfhWYL34W2Zv82m6e21Lt-9qK6$
<
https://urldefense.com/v3/__https:/tomcat.apache.org/tomcat-9.0-doc/api/org/apache/tomcat/util/digester/ServiceBindingPropertySource.html__;!!F9svGWnIaVPGSwU!u_LCWWE3YwNUQr7YGC0HxCMrnAQPVDMv_7FcyFWxFTcEYF-PIgUiIo5092B5O9eNZ6TklNBfhWYL34W2Zv82m6e21Lt-9qK6$




The more I have been using the ServiceBindingPropertySource the more

I've been thinking that I should add documentation to the Tomcat User

Guide for these things because reading Javadoc is yucky.



-chris





---------------------------------------------------------------------

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:
users-unsubscr...@tomcat.apache.org>

For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:
users-h...@tomcat.apache.org>





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org