Search code examples
apachetomcathashcryptographywebserver

How to prevent hashed password login in Tomcat 7.0.52?

I am using a Tomcat 7.0.52 server and using a hashed password in the tomcat-users.xml.

My server is accepting logins using the plain-text password and hashed password both.

How do I prevent / block users from logging in using the hashed password and force them to use the plaintext password?

Snippet of the following files

web.xml : 

<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>testvalue</realm-name>
</login-config>

server.xml

<Realm className="org.apache.catalina.realm.MemoryRealm" digest="SHA"/>

tomcat-users.xml

<user username="testuser" password="xxxx--------------yyyy" roles="testrole"/>
Solution

  • I know this isn't strictly the answer to what you asked but I would recommend upgrading tomcat to at least the latest version of 8.0 (8.0.48 at the time of posting). It's been a while since I made the upgrade from 7 to 8 but if memory serves it was pretty painless. This link should have everything you need to know about migrating up. Only thing that comes to mind that you'll really need to look out for is it requires java 7 or higher and even that shouldn't be a big issue unless you have a particularly particular setup going.

    Tomcat 8.0.x Instructions Below

    This is how I have mine set up and I cannot login by pasting my hashed password into the password field. I opted for sha-512 and arbitrarily picked 512 for my salt-length as well. You don't have to but why not?

    Tomcat 8 - server.xml

    <Realm className="org.apache.catalina.realm.LockOutRealm">
    <!-- Tomcat comment stuff trimmed out here -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
        <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="sha-512" saltLength="512" />
    </Realm>
</Realm>

    Tomcat 8 - tomcat-users.xml:

    <role rolename="yourrolehere"/>
<user username="yourusername" password="yourhashedpasswordhere" roles="yourrolehere"/>

    I'm sure you already know how to use digest.bat (or digest.sh if that's your thing) but for anyone else tuning in open a command prompt and navigate to your tomcat installation and into the bin directory. Then enter the following:

    digest -a sha-512 -s 512 youRcl3artextpa$sword

    This will produce a very long password hash in the format of:

    youRcl3artextpa$sword:hashedpasswordforalongtime

    Copy everything after the semi-colon and make sure it has no line breaks. (clean it up in notepad if you need to) That's your new hashed password.

    Tomcat 8 Digested Passwords Documentation