<!DOCTYPE html SYSTEM "about:legacy-compat">
<html lang="en"><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet" type="text/css"><title>Apache Tomcat 8 Configuration Reference (8.0.53) - The CredentialHandler Component</title><script type="application/javascript" data-comments-identifier="tomcat-8.0-doc/config/credentialhandler">
"use strict"; // Enable strict mode
(function() {
var thisScript = document.currentScript;
if (!thisScript) { // Workaround for IE <= 11
var scripts = document.getElementsByTagName("script");
thisScript = scripts[scripts.length - 1];
}
document.addEventListener("DOMContentLoaded", (function() {
var commentsDiv = document.getElementById("comments_thread");
var commentsShortname = "tomcat";
var commentsIdentifier = "https://tomcat.apache.org/" +
thisScript.getAttribute("data-comments-identifier") + ".html";
(function(w, d) {
if (w.location.hostname.toLowerCase() == "tomcat.apache.org") {
var s = d.createElement("script");
s.type = "application/javascript";
s.async = true;
s.src = "https://comments.apache.org/show_comments.lua?site=" +
encodeURIComponent(commentsShortname) +
"&page=" + encodeURIComponent(commentsIdentifier);
d.head.appendChild(s);
} else {
commentsDiv.appendChild(d.createTextNode("Comments are disabled for this page at the moment."));
}
})(window, document);
}), false);
})();
</script></head><body><div id="wrapper"><header><div id="header"><div><div><div class="logo noPrint"><a href="https://tomcat.apache.org/"><img alt="Tomcat Home" src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div class="asfLogo noPrint"><a href="https://www.apache.org/" target="_blank"><img src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a></div><h1>Apache Tomcat 8 Configuration Reference</h1><div class="versionInfo">
Version 8.0.53,
<time datetime="2018-06-29">Jun 29 2018</time></div><div style="height: 1px;"></div><div style="clear: left;"></div></div></div></div></header><div id="middle"><div><div id="mainLeft" class="noprint"><div><nav><div><h2>Links</h2><ul><li><a href="../index.html">Docs Home</a></li><li><a href="index.html">Config Ref. Home</a></li><li><a href="https://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a href="#comments_section">User Comments</a></li></ul></div><div><h2>Top Level Elements</h2><ul><li><a href="server.html">Server</a></li><li><a href="service.html">Service</a></li></ul></div><div><h2>Executors</h2><ul><li><a href="executor.html">Executor</a></li></ul></div><div><h2>Connectors</h2><ul><li><a href="http.html">HTTP</a></li><li><a href="ajp.html">AJP</a></li></ul></div><div><h2>Containers</h2><ul><li><a href="context.html">Context</a></li><li><a href="engine.html">Engine</a></li><li><a href="host.html">Host</a></li><li><a href="cluster.html">Cluster</a></li></ul></div><div><h2>Nested Components</h2><ul><li><a href="cookie-processor.html">CookieProcessor</a></li><li><a href="credentialhandler.html">CredentialHandler</a></li><li><a href="globalresources.html">Global Resources</a></li><li><a href="jar-scanner.html">JarScanner</a></li><li><a href="jar-scan-filter.html">JarScanFilter</a></li><li><a href="listeners.html">Listeners</a></li><li><a href="loader.html">Loader</a></li><li><a href="manager.html">Manager</a></li><li><a href="realm.html">Realm</a></li><li><a href="resources.html">Resources</a></li><li><a href="sessionidgenerator.html">SessionIdGenerator</a></li><li><a href="valve.html">Valve</a></li></ul></div><div><h2>Cluster Elements</h2><ul><li><a href="cluster.html">Cluster</a></li><li><a href="cluster-manager.html">Manager</a></li><li><a href="cluster-channel.html">Channel</a></li><li><a href="cluster-membership.html">Channel/Membership</a></li><li><a href="cluster-sender.html">Channel/Sender</a></li><li><a href="cluster-receiver.html">Channel/Receiver</a></li><li><a href="cluster-interceptor.html">Channel/Interceptor</a></li><li><a href="cluster-valve.html">Valve</a></li><li><a href="cluster-deployer.html">Deployer</a></li><li><a href="cluster-listener.html">ClusterListener</a></li></ul></div><div><h2>web.xml</h2><ul><li><a href="filter.html">Filter</a></li></ul></div><div><h2>Other</h2><ul><li><a href="systemprops.html">System properties</a></li></ul></div></nav></div></div><div id="mainRight"><div id="content"><h2>The CredentialHandler Component</h2><h3 id="Table_of_Contents">Table of Contents</h3><div class="text">
<ul><li><a href="#Introduction">Introduction</a></li><li><a href="#Attributes">Attributes</a><ol><li><a href="#Common_Attributes">Common Attributes</a></li><li><a href="#MessageDigestCredentialHandler">MessageDigestCredentialHandler</a></li><li><a href="#NestedCredentialHandler">NestedCredentialHandler</a></li><li><a href="#SecretKeyCredentialHandler">SecretKeyCredentialHandler</a></li></ol></li><li><a href="#Nested_Components">Nested Components</a></li><li><a href="#Special_Features">Special Features</a></li></ul>
</div><h3 id="Introduction">Introduction</h3><div class="text">
<p>The <strong>CredentialHandler</strong> element represents the component
used by a <a href="realm.html">Realm</a> to compare a provided credential such
as a password with the version of the credential stored by the
<a href="realm.html">Realm</a>. The <strong>CredentialHandler</strong> can
also be used to generate a new stored version of a given credential that would
be required, for example, when adding a new user to a
<a href="realm.html">Realm</a> or when changing a user's password.</p>
<p>A <strong>CredentialHandler</strong> element MUST be nested inside a
<a href="realm.html">Realm</a> component. If it is not included,
a default <strong>CredentialHandler</strong> will be created using the
<strong>MessageDigestCredentialHandler</strong>.</p>
</div><h3 id="Attributes">Attributes</h3><div class="text">
<div class="subsection"><h4 id="Common_Attributes">Common Attributes</h4><div class="text">
<p>All implementations of <strong>CredentialHandler</strong> support the
following attributes:</p>
<table class="defaultTable"><tr><th style="width: 15%;">
Attribute
</th><th style="width: 85%;">
Description
</th></tr><tr><td><strong><code class="attributeName">className</code></strong></td><td>
<p>Java class name of the implementation to use. This class must
implement the <code>org.apache.catalina.CredentialHandler</code>
interface.</p>
</td></tr></table>
<p>Unlike most Catalina components, there are several standard
<strong>CredentialHandler</strong> implementations available. As a result,
if a <strong>CredentialHandler</strong> element is present then the
<code>className</code> attribute MUST be used to select the implementation
you wish to use.</p>
</div></div>
<div class="subsection"><h4 id="MessageDigestCredentialHandler">MessageDigestCredentialHandler</h4><div class="text">
<p>The <strong>MessageDigestCredentialHandler</strong> is used when stored
passwords are protected by a message digest. This credential handler
supports the following forms of stored passwords:</p>
<ul>
<li><strong>plainText</strong> - the plain text credentials if no
algorithm is specified</li>
<li><strong>encodedCredential</strong> - a hex encoded digest of the
password digested using the configured digest</li>
<li><strong>{MD5}encodedCredential</strong> - a Base64 encoded MD5
digest of the password</li>
<li><strong>{SHA}encodedCredential</strong> - a Base64 encoded SHA1 digest
of the password</li>
<li><strong>{SSHA}encodedCredential</strong> - 20 character salt followed
by the salted SHA1 digest Base64 encoded</li>
<li><strong>salt$iterationCount$encodedCredential</strong> - a hex encoded
salt, iteration code and a hex encoded credential, each separated by
$</li>
</ul>
<p>If the stored password form does not include an iteration count then an
iteration count of 1 is used.</p>
<p>If the stored password form does not include salt then no salt is
used.</p>
<table class="defaultTable"><tr><th style="width: 15%;">
Attribute
</th><th style="width: 85%;">
Description
</th></tr><tr><td><code class="attributeName">algorithm</code></td><td>
<p>The name of the <code>java.security.MessageDigest</code> algorithm
used to encode user passwords stored in the database. If not specified,
user passwords are assumed to be stored in clear-text.</p>
</td></tr><tr><td><code class="attributeName">encoding</code></td><td>
<p>Digesting the password requires that it is converted to bytes. This
attribute determines the character encoding to use for conversions
between characters and bytes. If not specified, UTF-8 will be used.</p>
</td></tr><tr><td><code class="attributeName">iterations</code></td><td>
<p>The number of iterations to use when creating a new stored credential
from a clear text credential.</p>
</td></tr><tr><td><code class="attributeName">saltLength</code></td><td>
<p>The length of the randomly generated salt to use when creating a
new stored credential from a clear text credential.</p>
</td></tr></table>
</div></div>
<div class="subsection"><h4 id="NestedCredentialHandler">NestedCredentialHandler</h4><div class="text">
<p>The <strong>NestedCredentialHandler</strong> is an implementation of
<strong>CredentialHandler</strong> that delegates to one or more
sub-CredentialHandlers.</p>
<p>Using the <strong>NestedCredentialHandler</strong> gives the developer
the ability to combine multiple <strong>CredentialHandler</strong>s of the
same or different types.</p>
<p>Sub-CredentialHandlers are defined by nesting CredentialHandler elements
inside the <code>CredentialHandler</code> element that defines the
NestedCredentialHandler. Credentials will be matched against each
<code>CredentialHandler</code> in the order they are listed. A match against
any CredentialHandler will be sufficient for the credentials to be
considered matched.</p>
</div></div>
<div class="subsection"><h4 id="SecretKeyCredentialHandler">SecretKeyCredentialHandler</h4><div class="text">
<p>The <strong>SecretKeyCredentialHandler</strong> is used when stored
passwords are built using <code>javax.crypto.SecretKeyFactory</code>. This
credential handler supports the following forms of stored passwords:</p>
<ul>
<li><strong>salt$iterationCount$encodedCredential</strong> - a hex encoded
salt, iteration code and a hex encoded credential, each separated by
$</li>
</ul>
<p>If the stored password form does not include an iteration count then an
iteration count of 1 is used.</p>
<p>If the stored password form does not include salt then no salt is
used.</p>
<table class="defaultTable"><tr><th style="width: 15%;">
Attribute
</th><th style="width: 85%;">
Description
</th></tr><tr><td><code class="attributeName">algorithm</code></td><td>
<p>The name of the secret key algorithm used to encode user passwords
stored in the database. If not specified, a default of
<code>PBKDF2WithHmacSHA1</code> is used.</p>
</td></tr><tr><td><code class="attributeName">keyLength</code></td><td>
<p>The length of key to generate for the stored credential. If not
specified, a default of <code>160</code> is used.</p>
</td></tr><tr><td><code class="attributeName">iterations</code></td><td>
<p>The number of iterations to use when creating a new stored credential
from a clear text credential.</p>
</td></tr><tr><td><code class="attributeName">saltLength</code></td><td>
<p>The length of the randomly generated salt to use when creating a
new stored credential from a clear text credential.</p>
</td></tr></table>
</div></div>
</div><h3 id="Nested_Components">Nested Components</h3><div class="text">
<p>If you are using the <em>NestedCredentialHandler Implementation</em> or a
CredentialHandler that extends the NestedCredentialHandler one or more
<strong><CredentialHandler></strong> elements may be nested inside it.
</p>
</div><h3 id="Special_Features">Special Features</h3><div class="text">
<p>No special features are associated with a
<strong>CredentialHandler</strong> element.</p>
</div><div class="noprint"><h3 id="comments_section">
Comments
</h3><div class="text"><p class="notice"><strong>Notice: </strong>This comments section collects your suggestions
on improving documentation for Apache Tomcat.<br><br>
If you have trouble and need help, read
<a href="https://tomcat.apache.org/findhelp.html">Find Help</a> page
and ask your question on the tomcat-users
<a href="https://tomcat.apache.org/lists.html">mailing list</a>.
Do not ask such questions here. This is not a Q&A section.<br><br>
The Apache Comments System is explained <a href="../comments.html">here</a>.
Comments may be removed by our moderators if they are either
implemented or considered invalid/off-topic.
</p><div id="comments_thread"></div></div></div></div></div></div></div><footer><div id="footer">
Copyright © 1999-2018, The Apache Software Foundation
</div></footer></div></body></html>