Sunday, July 18, 2010

Tomcat Manager Password

This post will cover basic set up and configuration to access the Tomcat Manager interface.

After installing Tomcat 6, as shown in my previous post, you can navigate to to access the Tomcat Manager.

With some variation, which we will note, the procedure is the same for Tomcat 5, 6, and 7 (Beta).

By default, no users or passwords are created for the Tomcat manager role.

To set a user name and password, we need to configure the tomcat-users.xml file located at $CATALINA_HOME/conf/tomcat-users.xml.

In the case of our installation, $CATALINA_HOME is located at /usr/share/apache-tomcat-6.0.26.

By default the Tomcat 6 tomcat-users.xml file will look as below.

Note that while examples are provided, the elements between the <tomcat-users> and </tomcat-users> tags have been commented-out using <!-- -->

Most of what you need is explained in the file itself.

Now, in order to access Tomcat Manager we simply need to add a role, manager, and then add a user name with password and assign the user to the manager role.

I'll create a user 'david' with password 'BlogPost', and I'll assign 'david' to the manager role.


That's it! Very simple.

We added the role 'manager', and then created the username 'david' with password 'BlogSpot' and assigned the user to manager role.

IMPORTANT NOTE: For Tomcat 7.0, which is now in Beta Release, the role name is manager-gui. If configuring Tomcat 7.0, use this in place of 'manager':


Now, restart your Tomcat instance, and verify that you are able to access the Tomcat Manager at

Click on the Tomcat Manager link on the Administration menu and enter the user name and password you created above.

Securing Your Tomcat Manager Password: Creating an SHA or MD5 Digest Password

You could stop here, but since the password is stored in plain text in the tomcat-users.xml file, it's a good idea to encrypt your password.

By default, Tomcat employs a simple, file based UserDatabase Realm for security. In this case, passwords are stored in plain text in the tomcat-users.xml file we configured above.

There are much stronger security Realms that can be used such as JNDI and JDBC, but we'll start with the simplest and create a Digested version of our password we created above.

For our Digest algorithm we can use SHA or MD5.

We can do this in a few simple steps.

First, we create a Digest version of our password using the script located at $CATALINA_HOME/bin/

For SHA, we use issue ./ -a sha BlogSpot as shown below.

[root@server1 bin]# ./ -a sha BlogSpot

We then copy the output, 89fc9f60780695d50b5cf5b0598957fc88c91487, which is our SHA Digest password. Copy it somewhere safe, you will need it in a moment.

Similarly, for MD5, we issue ./ -a md5 BlogSpot as shown below.

[root@server1 bin]# ./ -a md5 BlogSpot

We then copy the output, f105429be7c7a3518f9376b3de4f0f1d, which is our MD5 Digest password. Copy it somewhere safe, you will need it in a moment.

Now, in our tomcat-users.xml file, replace the plain text password we created 'BlogSpot' (or whatever you used) with the SHA or MD5 Digest password you generated above. I'm going to use SHA.

[root@server1 conf]# vi tomcat-users.xml

Finally, we need to make an adjustment to our server.xml file, located in the Tomcat conf directory, so Tomcat knows we are using a Digest password as well as the Digest algorithm we selected (SHA or MD5).

In your server.xml file, look for this section:


At the end of the entry, we add: digest="sha" as shown below if we used the SHA Digest Algorithm.

If we used the MD5, we add digest="md5" as shown below.

We have now created the manager role, added a user with password to the manager role, as well as encrypted our user password using MD5 or SHA Digest.

Later we'll look at JDBC and JNDI security Realms, as well as other measures for securing your Tomcat installation.

Related Posts:
Install Tomcat 6 on CentOS
Tomcat Oracle JDBC Connection
Tomcat Custom 404 Page

No comments: