Encrypting passwords in Tomcat JDev. Apache Tomcat is by far the most popular open source web server and Java servlet container. It has been around for a long time and at the time of writing this post has reached version 7. As Apache rightfully claims on its web site, Tomcat powers numerous large scale, mission critical web applications across a diverse range of industries and organizations. Therefore, one might imagine that such a widely used server would out of the box already prove to be very secure. However, alot of weaknesses in Apache Tomcat stem from incorrect or inappropriate configuration as is the case not only for Tomcat but for the majority of software products, I would imagine. The OWASP organization has written up a nice document with a lot of best practices and recommendations on how to make Tomcat more secure than the default out of the box installation. The OWASP document rightfully states that best practices advice us never to store clear text passwords, but that in the case of the server. In this post, I will try to look into ways to avoid storing clear text password in Tomcats files that hopefully will make it less difficult to avoid. Internet Manager New Version 2012 With Crack. Encrypt the admins password. Tomcat comes with a nice little app called the Web Application Manager, which makes it easy to deploy a new war file. To be able to use the application you have to add an account with the role of manager gui. Experts Exchange Questions Windows 10 Task Manager Shows Commons Daemon Service Runner hogging CPUMemory. Netbeans74JeeLinux/installNetBeans74Gui.png' alt='Install Php On Tomcat 8 Manager' title='Install Php On Tomcat 8 Manager' />This is done by adding the following two lines to the conftomcat users. As you can clearly see, the password is stored in plain text, which is something we would always like to avoid, especially in a production environment. Also, in real life of course, you would never use admin as the username or password. Fortunately, although it apparently isnt widely known, Tomcat comes with a script that  allows us to encrypt passwords. This script is called digest. Windows or digest. Linux and can be found in the bin directory. With this we can specify the encryption algorithm that we want to use here were using SHA 2. C tomcatbin digest. C tomcatbin C tomcatbin digest. C tomcatbin We can now replace the plain text password in the conftomcat users. AES digest. But were still not quite there yet. We some how have to tell Tomcat that weve encrypted the password. So open the file confserver. Realm class. Nameorg. News and feature lists of Linux and BSD distributions. User. Database. Realm. NameUser. Database lt Realm class. Nameorg. apache. User. Database. Realm       resource. NameUser. Database Add the attribute digestsha 2. Realm class. Nameorg. User. Database. Realm. Shootout Stock Pack Download. NameUser. Database. Realm class. Nameorg. User. Database. Realm       resource. NameUser. Database       digestsha 2. Encrypting database passwords. It is well documented how we can configure a JDBC Data. Source in Tomcat, and use it in a web application. Within our application we add a resource ref to our web. My. DB Connectionlt description. My. DBlt res ref name. Data. Sourcelt res type. Containerlt res auth. My. DB Connectionlt description    lt res ref name jdbcMy. DBlt res ref name    lt res type javax. Data. Sourcelt res type    lt res auth Containerlt res auth lt resource ref Next, we have to download and install the appropriate JDBC driver and copy it to Tomcats lib folder. Then we have to edit the confcontext. Resource. Link globaljdbcMy. DB. namejdbcMy. DB. Data. Source lt Resource. Link globaljdbcMy. DB              namejdbcMy. DB              typejavax. Data. Source Finally, edit confserver. Global. Naming. Resources in this example were using Microsoft SQL Server. Resource namejdbcYour. DB. authContainer. Data. Source. max. Active1. 00. max. Idle3. 0. max. Wait1. User passwordVery. S3cr. 3t. driver. Class. Namecom. SQLServer. Driver. NameMy. DB lt Resource namejdbcYour. DB          authContainer          typejavax. Data. Source          max. Active1. 00          max. Idle3. 0          max. Wait1. 00. 00          usernamedatabase. UserpasswordVery. S3cr. 3t          driver. Class. Namecom. SQLServer. Driver          urljdbc sqlserver localhost 1. NameMy. DB Thats it. Weve configured a Data. Source for use in our applications. But, oh dear, as you can clearly see, the database credentials are stored in plain text. And this time we dont have the aid of a digest. The only thing we can do now, is write our own Data. Source that uses encrypted passwords. Of course, were not going to write a complete implementation ourselves. Instead, for this example, we are going to rely on the default connection pool that comes with Tomcat, called Tomcat JDBC Connection Pool, and we will create a class that will extend org. Data. Source. Factory. First of all, create a new Java project and add the tomcat jdbc library to your classpath. If youre using maven, simply add the following dependency. Id org. apache. Id. Id tomcat jdbclt artifact. Id. lt version 7. Id org. apache. Id    lt artifact. Id tomcat jdbclt artifact. Id    lt version 7. Next, we have to write a class called Encryptor that can be used to encrypt and decrypt our passwords. For our example we are going to use the use the AES algorythm. Im not going to explain the details about AES or encryption since there are already a lot of good articles on the web written by far more capable people than me. Unsupported. Encoding. Exception. import java. Invalid. Key. Exception. Key. import java. Message. Digest. import java. No. Such. Algorithm. Exception. import java. Arrays. import javax. Bad. Padding. Exception. Cipher. import javax. Illegal. Block. Size. Exception. import javax. Key. Generator. import javax. No. Such. Padding. Exception. import javax. Secret. Key. Spec. Encryptor. private static final String ALGORITHM AES. String default. Secret. Key This. Is. AVery. Very. Secret. Key. Key secret. Key. Spec. Encryptor throws Invalid. Key. Exception, No. Such. Algorithm. Exception, No. Such. Padding. Exception. Unsupported. Encoding. Exception. thisnull. EncryptorString secret. Key throws No. Such. Algorithm. Exception, No. Such. Padding. Exception, Invalid. Key. Exception. Unsupported. Encoding. Exception. Key. Spec generate. Keysecret. Key. String encryptString plain. Text throws Invalid. Key. Exception, No. Such. Algorithm. Exception. No. Such. Padding. Exception, Illegal. Block. Size. Exception, Bad. Padding. Exception, Unsupported. Encoding. Exception. Cipher cipher Cipher. InstanceALGORITHM. Cipher. ENCRYPTMODE, secret. Key. Spec. byte encrypted cipher. Finalplain. Text. BytesUTF 8. Hex. Stringencrypted. String decryptString encrypted. String throws Invalid. Key. Exception, Illegal. Block. Size. Exception. Bad. Padding. Exception, No. Such. Algorithm. Exception, No. Such. Padding. Exception. Cipher cipher Cipher. InstanceALGORITHM. Cipher. DECRYPTMODE, secret. Key. Spec. byte original cipher. Poemas Oscar Wilde Pdf. Finalto. Byte. Arrayencrypted. String. return new Stringoriginal. Key generate. KeyString secret. Key throws Unsupported. Encoding. Exception, No. Such. Algorithm. Exception. Key null. secret. Key default. Secret. Key. byte key secret. Key. get. BytesUTF 8. Message. Digest sha Message. Digest. get. InstanceSHA 1. Arrays. copy. Ofkey, 1. Key. Generator kgen Key. Generator. get. InstanceAES.