lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Apache Tomcat

Apache Software Foundationmiddleware2 credentials

Credentials2 documented
01

Manager / Host Manager User Password

apache-tomcat / manager-user-password

Tomcat Manager and Host Manager authenticate users through a configured Realm. The default UserDatabaseRealm is typically backed by $CATALINA_BASE/conf/tomcat-users.xml, where operators define usernames, passwords, and manager roles.

user definedsecretusername/password

Looks like

pattern
pattern

tomcat-users.xml user entry; the password attribute is the credential and manager/admin roles identify privileged web-console access

<user\s+username="[^"]+"\s+password="[^"]+"\s+roles="[^"]*(manager-gui|manager-script|manager-jmx|manager-status|admin-gui|admin-script)[^"]*"\s*/?>

Location

config file
$CATALINA_BASE/conf/tomcat-users.xml
config file
$CATALINA_BASE/conf/server.xml

Realm configuration can point authentication at XML, JDBC, JNDI, JAAS, or custom stores

public interface
/manager/html, /manager/text, /manager/jmxproxy, /host-manager/html
source code

Dockerfiles, lab compose files, deployment examples, golden Tomcat configs

artifact

WAR deployment bundles, config backups, AMI/container build artifacts

Notes

Tomcat documentation states that no username in the default users file is assigned Manager roles, so Manager access is disabled by default. Do not treat example users as shipped defaults; include only operator configured users and passwords.

02

Realm User Password

apache-tomcat / realm-user-password

Tomcat web applications using container-managed security authenticate users through a Realm. Realms may store usernames, passwords, and roles in tomcat-users.xml, a database, LDAP/JNDI, JAAS, or a custom backend.

user definedsecretusername/password

Looks like

pattern
pattern

tomcat-users.xml user entry for a MemoryRealm or UserDatabaseRealm

<user\s+username="[^"]+"\s+password="[^"]+"\s+roles="[^"]*"\s*/?>

Location

config file
$CATALINA_BASE/conf/tomcat-users.xml
config file
$CATALINA_BASE/conf/server.xml, META-INF/context.xml

Realm, DataSourceRealm, JDBCRealm, JNDIRealm, and JAASRealm configuration

database

JDBCRealm or DataSourceRealm user and role tables

public interface

application login forms protected by Servlet security constraints

source code

context.xml, web.xml, test fixtures, deployment templates

Notes

Realm password storage depends on the configured Realm and digest settings. For LOLCreds purposes, the concrete credential location is the configured Realm backend plus any copied deployment artifacts.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.