Information
Apache Tomcat ships with a Manager Application which requires users with a role of manager-gui, manager-status, manager-script, and/or manager-jmx to authenticate. The usernames and passwords to log onto the Manager Application are stored in the tomcat-users.xml in plain text by default.
Rationale:
Storing passwords in plain text may allow users with access to read the tomcat-users.xml file to obtain the credentials of user who have been assigned roles for the Manager Application. This may allow for accounts to be compromised on Tomcat and elsewhere.
Solution
Generate the encrypted password:
cd $CATALINA_HOME/bin
digest.bat -a sha-256 YOURPASSWORD
This will return the original password followed by encrypted password:
YOURPASSWORD:240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9
Replace the plain text password with the above encrypted password generated above in CATALINA_HOME/conf/tomcat-user.xml file as follows.
<user username='admin' password='240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9'
roles='manager-gui'/>
Add the digest element as a child to the login-config element where the realm-name element has a value of UserDatabase. For example:
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>