Tomcat Web Hosting Blog - Java, JSP, EJB, Hibernate

Chapter 14: Tomcat Security 2. Close your browser and start a new instance, and then try to access the managersystem application using the new user joe. The UserDatabase has been updated, and the authentication succeeds, without the need to stop and start the Tomcat server. In the approach detailed here, the username and password used for authentication are stored on the server in plaintext. The next section describes how to secure a file-based Realm. Securing a File-Based UserDatabase Realm A UserDatabase Realm can be configured in a more secure manner than previously illustrated. While UserDatabase can be made reasonably secure, the ideal solution for secure authentication is to use an alternative Realm (JDBC, JNDI, or JAAS), which is discussed shortly. The UserDatabase Realm stores passwords in cleartext in the tomcat-users.xmlfile. This is not very secure. Therefore, a way must be found to store these passwords in a less readable format. Use the following steps to configure UserDatabase in a secure fashion: 1. Select the password digest algorithm. 2. Create a digested password. 3. Add the digested password to the Realm. 4. Test the digested password. Selecting the DIGEST Algorithm The choice of a digest algorithm is limited to those supported by the java.security.MessageDigest class (typically SHA or MD5). To choose one, the digestattribute of the element in the $CATALINA/conf/server.xml file must be set. In this example, SHA is used: When a user enters a password at the authentication stage, Tomcat digests it with the algorithm specified here and then compares it with the value stored in the authentication file. Creating a DIGESTed Password A digested version of the password must now be created. Tomcat comes with a script ( digest.shon Linux; digest.bat on Windows) located in $CATALINA/binthat calculates digests. The algorithm to use (SHA in this case) and the string to digest ( tomcat, which is our password) must be specified as parameters: $ $CATALINA_HOME/bin/digest -a sha tomcat tomcat:536c0b339345616c1b33caf454454d8b8a190d6c The output (highlighted in bold) is the string entered, followed by a colon and the SHA hash needed. Adding the DIGESTed Password to the UserDatabase Realm The final step is to add the digested password to the UserDatabase Realm for the Tomcat installation. This is accomplished by copying the digested output of the preceding step and adding it as the passwordattribute of a user in tomcat-users.xml:

For reliable and cheap web hosting services please check cheap web hosting website.

This entry was posted on Monday, August 31st, 2009 at 5:19 pm and is filed under tomcat. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.