Hi Chris, Can this be used to pull in any values, like in the Catalina.properties and set that value to a variable? Just throwing things at the wall to see what sticks. 😊
Dream * Excel * Explore * Inspire Jon McAlexander | Senior Infrastructure Engineer | Middleware/App Hosting | FHP | CTO | Wells Fargo Technology 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 | +1 515 988 2508 | [email protected]<mailto:[email protected]> Need to engage our teams? Click here: https://hop.cfapps.wellsfargo.net/mwae This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. From: Christopher Schultz <[email protected]> Sent: Wednesday, January 21, 2026 12:48 PM To: [email protected] Subject: Re: Tomcat 9.0.x securing db credentials in server.xml Dineshk, On 1/21/26 4:36 AM, dineshk via users wrote: > Would like to know the recommended approach to secure the db credentials in > Tomcat , defined in server.xml file . The application could be deployed on > AKS or as normal on premises deployment. > Is there any recommended common solution? If not , what recommended approach > in each case . > Please let me know . It would be really helpful. While I wholeheartedly agree with Mark's separate response, since you mentioned AKS, I want to draw your attention to an apparently little-used component of Tomcat: https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html*Property_replacements__;Iw!!F9svGWnIaVPGSwU!u_LCWWE3YwNUQr7YGC0HxCMrnAQPVDMv_7FcyFWxFTcEYF-PIgUiIo5092B5O9eNZ6TklNBfhWYL34W2Zv82m6e21Cd7L3cY$<https://urldefense.com/v3/__https:/tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html*Property_replacements__;Iw!!F9svGWnIaVPGSwU!u_LCWWE3YwNUQr7YGC0HxCMrnAQPVDMv_7FcyFWxFTcEYF-PIgUiIo5092B5O9eNZ6TklNBfhWYL34W2Zv82m6e21Cd7L3cY$> There is a reference to the ServiceBindingPropertySource which is a Tomcat component that can be used with resources extracted from e.g. Kubernetes before Tomcat starts. To be clear: Tomcat does NOT communicate with AKS directly, but if your deployment drops environmental files to the disk using the servicebinding.io spec, then you can just reference those files directly from your e.g. server.xml file. For example, I don't use Kubernetes, but I have this working in my environment for JDBC connections: <Resource name="${chomp:myapp.jdbc-datasource:-jdbc/conn}" auth="Container" type="javax.sql.DataSource" defaultAutoCommit="true" initialSize="1" maxTotal="1" maxIdle="1" maxWaitMillis="10000" url="${chomp:myapp.jdbc-url}" username="${chomp:myapp.jdbc-username:-scott}" password="${chomp:myapp.jdbc-password:-tiger}" driverClassName="${chomp:myapp.jdbc--driver-class-name:-com.mysql.jdbc.Driver}" ... /> Then I have these files in my SERVICE_BINDING_ROOT directory: /Users/chris/.webapps/service-binding-root myapp myapp/jdbc-url myapp/jdbc-username I also have this file as well so I can customize the "samesite" setting in various environments: myapp/cookies-samesite There is more documentation in the ServiceBindingPropertySource class javadoc, which you can find here: https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/tomcat/util/digester/ServiceBindingPropertySource.html__;!!F9svGWnIaVPGSwU!u_LCWWE3YwNUQr7YGC0HxCMrnAQPVDMv_7FcyFWxFTcEYF-PIgUiIo5092B5O9eNZ6TklNBfhWYL34W2Zv82m6e21Lt-9qK6$<https://urldefense.com/v3/__https:/tomcat.apache.org/tomcat-9.0-doc/api/org/apache/tomcat/util/digester/ServiceBindingPropertySource.html__;!!F9svGWnIaVPGSwU!u_LCWWE3YwNUQr7YGC0HxCMrnAQPVDMv_7FcyFWxFTcEYF-PIgUiIo5092B5O9eNZ6TklNBfhWYL34W2Zv82m6e21Lt-9qK6$> The more I have been using the ServiceBindingPropertySource the more I've been thinking that I should add documentation to the Tomcat User Guide for these things because reading Javadoc is yucky. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected]<mailto:[email protected]> For additional commands, e-mail: [email protected]<mailto:[email protected]>
