How do I use non-plaintext passwords for Tomcat users?

Taken from this page

1. add "digest" attribute on your element in server.xml with a hash algorithm as value (possible values are for example md5, sha-1 or sha-256, where the latter is strongly recommended).
2. Run $CATALINE_HOME/bin/digest.sh -a <YOUR_HASH_ALGORITHM> <YOUR_PASSWORD>
3. You will get an output in the following form <YOUR_PASSWORD>:<ENCRYPTED_PASSWORD>
4. Replace value of user's password attribute in your tomcat-users.xml to <ENCRYPTED_PASSWORD>
5. restart tomcat

See also: Tomcat digest password

For anyone coming here looking for information about Tomcat 8.0.15 or newer, you should probably use SecretKeyCredentialHandler with PBKDF2 instead, since it's much more secure (i.e. harder to crack) than a simple message digest.

For example, in your server.xml:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
       resourceName="UserDatabase">
   <CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler"
                      algorithm="PBKDF2WithHmacSHA512"
                      keyLength="256"
   />
</Realm>

With this configuration, use the following to generate the hashed output from your password:

 $CATALINA_HOME/bin/digest.sh -a "PBKDF2WithHmacSHA512" -i 100000 -s 16 -k 256 -h "org.apache.catalina.realm.SecretKeyCredentialHandler" "YOUR_PASSWORD"

with the iteration-count and salt-size (in bytes) of your choosing. Note that the key length need to be the same as defined in server.xml because of bug 60446. It should be fixed pretty soon upstream though.

WARNING! Please ensure your password does not get saved in your shell's command history. In bash this is achieved by preceding the command with an empty space.

The command will output your password in plain-text and a hex-representation of the resulting credentials, which you should use as your password attribute in your tomcat-users.xml.

Documentation for the CredentialHandler component can be found here. The possible values for the algorithm attribute can be found here.

1) Generate password: /bin>digest.bat -s 0 -a sha-256

Example: /bin>digest.bat -s 0 -a sha-256 admin

Password to use is: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918

*Important note: You must use “-s 0 “(salt 0) or it won’t work.

2) paste password above into your tomcat-users.xml file.

Example:

<!-- for password “admin” -->
<user username="tomcat" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" roles="manager-gui,manager,admin"></user>

3) configure server.xml to use SHA-256 digest hashed based passwords:

4) configure your web.xml to use “DIGEST” passwords and update RealmName to match above (in the HTMLManager section)

 <catalina_home>/webapps/manager\WEB-INF\web.xml

    <login-config>
        <auth-method>DIGEST</auth-method>
        <realm-name>UserDatabase</realm-name> 
    </login-config>

Full context:
  <servlet>
    <servlet-name>HTMLManager</servlet-name>
    <servlet-class>org.apache.catalina.manager.HTMLManagerServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>2</param-value>
    </init-param>

… SNIPPED_FOR_BREVITY ...   

    <login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>UserDatabase</realm-name>
  </login-config>

    <multipart-config>
      <!-- 50MB max -->
      <max-file-size>52428800</max-file-size>
      <max-request-size>52428800</max-request-size>
      <file-size-threshold>0</file-size-threshold>
    </multipart-config>
  </servlet>