For each of the standard Realm implementations, the user’s password (by default) is stored in clear text. In many environments, this is undesirable because casual observers of the authentication data can collect enough information to log on successfully, and impersonate other users. To avoid this problem, the standard implementations support the concept of digesting user passwords. This allows the stored version of the passwords to be encoded (in a form that is not easily reversible), but that the Realm implementation can still utilize for authentication.
When a standard realm authenticates by retrieving the stored password and comparing it with the value presented by the user, you can select digested passwords by specifying the digest attribute on your <Realm> element. The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). When you select this option, the contents of the password that is stored in the Realm must be the cleartext version of the password, as digested by the specified algorithm.
When the authenticate() method of the Realm is called, the (cleartext) password specified by the user is itself digested by the same algorithm, and the result is compared with the value returned by the Realm. An equal match implies that the cleartext version of the original password is the same as the one presented by the user, so that this user should be authorized.
Let’s discuss each step briefly and enforce the password encryption policy for the Tomcat Manager.
1. We have to define the password encryption algorithm in the Realm section of server.xml, as in the following line of code:
<Realm className= “org.apache.catalina.realm.MemoryRealm”digest=”MD5” />
|We can define the algorithm based on the OS requirement, such as SHA, RSA, MD5, and so on.|
2. Now go to tomcat_home/bin and run the following command, it will generate the encrypted algorithm, as shown in the following screenshot:
[[email protected] bin]# ./digest.sh -a MD5 secret
The previous command can be described as ./digest.sh = script, which generates the password for Tomcat realm and -a = algorithm used, currently we are using MD5 algorithm.
3. Copy the MD5 string and replace the password text from tomcat_user.xml with the following line of code:
<user name=”admin” password=”5ebe2294ecd0e0f08eab7690d2a6ee69 ” roles=”manager-gui” />
4. Reload the Tomcat services and log in to the Tomcat Manager using the password.
If you want more info on other tomcat realm’s then you may visit the official tomcat site for more info.