Passwords
in tomcat are defined in the tomcat-user.xml file .The passwords in
this file are defined in a plain text format. Normally in tomcat a
UserDatabaseRealm exits which reads the users for the
tomcat-users.xml file to authenticate the users
The
Plain Text passwords can be changed by using a digest available in
tomcat .The plain text passwords are not good in side the production
environments, these can be encoded by a method called digesting the
passwords which is provided by tomcat itself.
Rhe
realm used authenticates by retrieving the stored password with the
one that user submitted. We can configure the realm element to select
the digested passwords. The value for this attribute must be one of
the digest algorithms supported by the java.security.MessageDigest
class (SHA, MD2, or MD5).
When
the authenticate() method of the Realm is called, the (cleartext)
password specified by the user is itself digested by the same
algorithm, and the result is compared with the value returned by the
Realm. An equal match implies that the cleartext version of the
original password is the same as the one presented by the user, so
that this user should be authorized.
Now
lets see how can we configure the tomcat to use the digesting of the
passwords
1.Modify
the server.xml file Realm Elements like
<Realm
className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm
uses the UserDatabase configured in the global JNDI
resources
under the key "UserDatabase". Any edits
that are
performed against this UserDatabase are immediately
available
for use by the Realm. -->
<Realm
className="org.apache.catalina.realm.MemoryRealm"
digest="MD5" />
</Realm>
In
the above snippet ,i added the MemoryRealm with the digest as MD5.
2.Create
a MD5 digest password,go the tomcat/bin location and run
./digest.sh -a MD5
secret
secret:5ebe2294ecd0e0f08eab7690d2a6ee69
In
the above snippet ,i have created a md5 for the string “secret”
which I will use as password
3.Now
once we have the MD5 , we modify in the tomcat-users.xml file as
<role
rolename="manager-gui"/>
<user
username="tomcat"
password="5ebe2294ecd0e0f08eab7690d2a6ee69"
roles="manager-gui"/>
4.Restart
and open the tomcat manager console with the user name and password.
More
to Come , Happy learning :-)
