tomcatserver.xml

tomcat server.xml encrypted password


I want to migrate from Tomcat 6 to Tomcat 9. There is a problem in the Tomcat 6 which is the resource passwords are in plain text. Is there a method to encrypt them in Tomcat 9?

an example for the resource is:

    <Resource name="jdbc/HasanDB" auth="Container" type="javax.sql.DataSource"
              maxTotal="10" maxIdle="15" minIdle="3" initialSize="2" maxWaitMillis="10000"
              removeAbondend="true" removeAbondendTimeout="300"
              username="hasan" password="hasanpass" driverClassName="com.mysql.jdbc.Driver"
              url="jdbc:mysql://localhost:3306/HasanDB"/>

If there is no encryption method available, could a software be used to feed the passwords when Tomcat starts?


Solution

  • This even has its own section in the Tomcat FAQ. Basically: Encryption of the password would be snake oil - you can only make it slightly harder for people to get access to the password.

    The FAQ gives several options, my favorite part of it is where they suggest the encryption methods that can easily be used in a custom, password-encrypting, implementation:

    XOR and ROT13 are great candidates for this since their strength matches the protection you'll actually get.

    If, even after the warnings from the FAQ, you still would like to take some action, check the Tomcat Vault.