...

The UserDatabaseRealm uses the tomcat-users.xml file from the conf folder to store users, roles and passwords. By default the passwords are stored in plain text. It is strongly advised to use a hashing algorithm to prevent storing plain text passwords on the file system. Both Tomcat 7 and 8 support hashing algorithms. Tomcat 8 uses and higher use a CredentialHandler that has support for salt and iterations which is not possible with Tomcat 7.

User management with Tomcat 8 and 9

In the following server.xml file the CredentialHandler element was added to the UserDatabaseRealm. In this case the PBKDF2WithHmacSHA512 algorithm is configured with a keyLength of 256, a saltLength of 16 and 100000 iterations. These settings are a trade-off between performance and security. The exact values should be evaluated per use case.

...