Jetty/Howto/Secure Passwords

From Eclipsepedia

< Jetty‎ | Howto
Revision as of 15:35, 23 April 2013 by (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


There are many places in Jetty where you need to use and store a password, for example the SSL connector keystore password and user passwords in realms. You can store passwords as clear text, obfuscated, checksummed or encrypted, in order of increasing security.

The choice of method to secure a password depends on where you are using the password. In some cases such as keystore passwords and digest authentication, the system must retrieve the original password, which requires the obfuscation method. The drawback of the obfuscation algorithm is that it protects passwords from casual viewing only.

When the stored password is compared to one a user enters, the handling code can apply the same algorithm that secures the stored password to the user input and compare results, making password authentication more secure.


Jetty provides a password utility that you can use to generate all varieties of passwords.

Run it without arguments to see usage instructions:

Version 8.1 and above -- although this works on 7.6.7 as well

> java -cp lib/jetty-util-xxx.jar
Usage - java [<user>] <password>

Below version 8.1

> java -cp lib/jetty-http-xxx.jar:lib/jetty-util-xxx.jar
Usage - java [<user>] <password>

where -xxx signifies the version of Jetty that you have installed.

For example, to generate a secured version of the password blah for the user me, enter:

> java -cp lib/jetty-http-xxx.jar:lib/jetty-util-xxx.jar me blah

Now you can cut and paste whichever secure version you choose into your configuration file or java code.

For example, the last line below shows you how you would cut and paste the encrypted password generated above into the properties file for a HashUserRealm:

admin: CRYPT:ad1ks..kc.1Ug,server-administrator,content-administrator,admin
other: OBF:1xmk1w261u9r1w1c1xmq
guest: guest,read-only
me: CRYPT:me/ks90E221EY
Don't forget to also copy the OBF:, MD5: or CRYPT: prefix on the generated password. Jetty cannot use it if you don't.