Re: Tomcat 9.0.x securing db credentials in server.xml

Wed, 21 Jan 2026 10:48:09 -0800 

Dineshk,

On 1/21/26 4:36 AM, dineshk via users wrote:

Would like to know the recommended approach to secure the db credentials in 
Tomcat , defined in server.xml file . The application could be deployed on AKS 
or as normal on premises deployment.
Is there any recommended common solution? If not , what recommended approach in 
each case .
Please let me know . It would be really helpful.



While I wholeheartedly agree with Mark's separate response, since you 
mentioned AKS, I want to draw your attention to an apparently 
little-used component of Tomcat:


https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html#Property_replacements


There is a reference to the ServiceBindingPropertySource which is a 
Tomcat component that can be used with resources extracted from e.g. 
Kubernetes before Tomcat starts. To be clear: Tomcat does NOT 
communicate with AKS directly, but if your deployment drops 
environmental files to the disk using the servicebinding.io spec, then 
you can just reference those files directly from your e.g. server.xml file.



For example, I don't use Kubernetes, but I have this working in my 
environment for JDBC connections:


  <Resource name="${chomp:myapp.jdbc-datasource:-jdbc/conn}"
        auth="Container"
        type="javax.sql.DataSource"
        defaultAutoCommit="true"
        initialSize="1"
        maxTotal="1"
        maxIdle="1"
        maxWaitMillis="10000"
        url="${chomp:myapp.jdbc-url}"
        username="${chomp:myapp.jdbc-username:-scott}"
        password="${chomp:myapp.jdbc-password:-tiger}"

 
driverClassName="${chomp:myapp.jdbc--driver-class-name:-com.mysql.jdbc.Driver}"

     ... />

Then I have these files in my SERVICE_BINDING_ROOT directory:

/Users/chris/.webapps/service-binding-root
myapp
myapp/jdbc-url
myapp/jdbc-username


I also have this file as well so I can customize the "samesite" setting 
in various environments:

myapp/cookies-samesite


There is more documentation in the ServiceBindingPropertySource class 
javadoc, which you can find here:

https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/tomcat/util/digester/ServiceBindingPropertySource.html


The more I have been using the ServiceBindingPropertySource the more 
I've been thinking that I should add documentation to the Tomcat User 
Guide for these things because reading Javadoc is yucky.


-chris


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to