InformationApache Tomcat ships with a Manager Application which requires users with a role of manager-gui, manager-status, manager-script, and/or manager-jmx to authenticate. The usernames and passwords to log onto the Manager Application are stored in the tomcat-users.xml in plain text by default.
Storing passwords in plain text may allow users with access to read the tomcat-users.xml file to obtain the credentials of user who have been assigned roles for the Manager Application. This may allow for accounts to be compromised on Tomcat and elsewhere.
SolutionGenerate the encrypted password:
digest.bat -a sha-256 YOURPASSWORD
This will return the original password followed by encrypted password:
Replace the plain text password with the above encrypted password generated above in CATALINA_HOME/conf/tomcat-user.xml file as follows.
<user username='admin' password='240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9'
Add the digest element as a child to the login-config element where the realm-name element has a value of UserDatabase. For example: