If you're running your application via kubernetes then you just need to use kubernetes secrets which get mounted into the container as files to a directory you specify. Then tomcat merely needs to reference the file. There is no point in encrypting the secrets and having tomcat decrypt them. Its the job of kubernetes to secure the secrets api. Your job is to protect the secrets from the application level.
On Sat, Jan 24, 2026 at 10:19 AM Christopher Schultz < [email protected]> wrote: > Jon, > > On 1/21/26 2:53 PM, Mcalexander, Jon J. via users wrote: > > Can this be used to pull in any values, like in the > > Catalina.properties and set that value to a variable? Just throwing > > things at the wall to see what sticks. 😊 > I don't *think* so. > > > https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html#Property_replacements > says it's only XML files, though, so you might want to verify yourself. > > The same PropertySource should be used to resolve things that look like > ant-style property references in pretty much any XML file Tomcat parses. > > It should be easy to verify, since you can define any property you want > in catalina.properties and then just check System.getProperty() once the > container has started. > > If PropertySource is used for files other than XML, then we should > change the documentation. But my sense is that the documentation is > accurate. > > -chris > > > From: Christopher Schultz <[email protected]> > > Sent: Wednesday, January 21, 2026 12:48 PM > > To: [email protected] > > Subject: Re: Tomcat 9.0.x securing db credentials in server.xml > > > > > > > > > > Dineshk, > > > > > > > > On 1/21/26 4:36 AM, dineshk via users wrote: > > > >> Would like to know the recommended approach to secure the db > credentials in Tomcat , defined in server.xml file . The application could > be deployed on AKS or as normal on premises deployment. > > > >> Is there any recommended common solution? If not , what recommended > approach in each case . > > > >> Please let me know . It would be really helpful. > > > > > > > > While I wholeheartedly agree with Mark's separate response, since you > > > > mentioned AKS, I want to draw your attention to an apparently > > > > little-used component of Tomcat: > > > > > > > > > https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html*Property_replacements__;Iw!!F9svGWnIaVPGSwU!u_LCWWE3YwNUQr7YGC0HxCMrnAQPVDMv_7FcyFWxFTcEYF-PIgUiIo5092B5O9eNZ6TklNBfhWYL34W2Zv82m6e21Cd7L3cY$ > < > https://urldefense.com/v3/__https:/tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html*Property_replacements__;Iw!!F9svGWnIaVPGSwU!u_LCWWE3YwNUQr7YGC0HxCMrnAQPVDMv_7FcyFWxFTcEYF-PIgUiIo5092B5O9eNZ6TklNBfhWYL34W2Zv82m6e21Cd7L3cY$ > > > > > > > > > > There is a reference to the ServiceBindingPropertySource which is a > > > > Tomcat component that can be used with resources extracted from e.g. > > > > Kubernetes before Tomcat starts. To be clear: Tomcat does NOT > > > > communicate with AKS directly, but if your deployment drops > > > > environmental files to the disk using the servicebinding.io spec, then > > > > you can just reference those files directly from your e.g. server.xml > file. > > > > > > > > For example, I don't use Kubernetes, but I have this working in my > > > > environment for JDBC connections: > > > > > > > > <Resource name="${chomp:myapp.jdbc-datasource:-jdbc/conn}" > > > > auth="Container" > > > > type="javax.sql.DataSource" > > > > defaultAutoCommit="true" > > > > initialSize="1" > > > > maxTotal="1" > > > > maxIdle="1" > > > > maxWaitMillis="10000" > > > > url="${chomp:myapp.jdbc-url}" > > > > username="${chomp:myapp.jdbc-username:-scott}" > > > > password="${chomp:myapp.jdbc-password:-tiger}" > > > > > > > > > driverClassName="${chomp:myapp.jdbc--driver-class-name:-com.mysql.jdbc.Driver}" > > > > ... /> > > > > > > > > Then I have these files in my SERVICE_BINDING_ROOT directory: > > > > > > > > /Users/chris/.webapps/service-binding-root > > > > myapp > > > > myapp/jdbc-url > > > > myapp/jdbc-username > > > > > > > > I also have this file as well so I can customize the "samesite" setting > > > > in various environments: > > > > myapp/cookies-samesite > > > > > > > > There is more documentation in the ServiceBindingPropertySource class > > > > javadoc, which you can find here: > > > > > https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/tomcat/util/digester/ServiceBindingPropertySource.html__;!!F9svGWnIaVPGSwU!u_LCWWE3YwNUQr7YGC0HxCMrnAQPVDMv_7FcyFWxFTcEYF-PIgUiIo5092B5O9eNZ6TklNBfhWYL34W2Zv82m6e21Lt-9qK6$ > < > https://urldefense.com/v3/__https:/tomcat.apache.org/tomcat-9.0-doc/api/org/apache/tomcat/util/digester/ServiceBindingPropertySource.html__;!!F9svGWnIaVPGSwU!u_LCWWE3YwNUQr7YGC0HxCMrnAQPVDMv_7FcyFWxFTcEYF-PIgUiIo5092B5O9eNZ6TklNBfhWYL34W2Zv82m6e21Lt-9qK6$ > > > > > > > > > > The more I have been using the ServiceBindingPropertySource the more > > > > I've been thinking that I should add documentation to the Tomcat User > > > > Guide for these things because reading Javadoc is yucky. > > > > > > > > -chris > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [email protected]<mailto: > [email protected]> > > > > For additional commands, e-mail: [email protected]<mailto: > [email protected]> > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
