By default, the Tomcat web server deals with clear-text passwords, regardless of the method you use for setting up login accounts.
If Tomcat uses an existing directory or database of accounts, then by default Tomcat expects to receive clear-text passwords. If your existing account repository already stores passwords as hashes, you should set Tomcat to accept hashed passwords.
If Tomcat uses a local XML file containing account details, then by default this file contains clear-text passwords, which can be read by anyone with access to the file. If you store the login accounts in the XML file, we strongly recommend that you configure Tomcat to use hashed passwords instead. This means that the passwords of any login account details that are stored in the local Tomcat file can be stored as a hash rather than in clear text.
To use hashed passwords in either the local XML file or in an existing database or directory, you must configure Tomcat to accept hashed passwords.
Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |