Apache Tomcat
Apache Software Foundationmiddleware2 credentials
Manager / Host Manager User Password
apache-tomcat / manager-user-password
Tomcat Manager and Host Manager authenticate users through a configured Realm. The default UserDatabaseRealm is typically backed by $CATALINA_BASE/conf/tomcat-users.xml, where operators define usernames, passwords, and manager roles.
Looks like
pattern<user\s+username="[^"]+"\s+password="[^"]+"\s+roles="[^"]*(manager-gui|manager-script|manager-jmx|manager-status|admin-gui|admin-script)[^"]*"\s*/?>Location
$CATALINA_BASE/conf/tomcat-users.xml$CATALINA_BASE/conf/server.xmlRealm configuration can point authentication at XML, JDBC, JNDI, JAAS, or custom stores
/manager/html, /manager/text, /manager/jmxproxy, /host-manager/htmlDockerfiles, lab compose files, deployment examples, golden Tomcat configs
WAR deployment bundles, config backups, AMI/container build artifacts
Notes
Tomcat documentation states that no username in the default users file is assigned Manager roles, so Manager access is disabled by default. Do not treat example users as shipped defaults; include only operator configured users and passwords.
Realm User Password
apache-tomcat / realm-user-password
Tomcat web applications using container-managed security authenticate users through a Realm. Realms may store usernames, passwords, and roles in tomcat-users.xml, a database, LDAP/JNDI, JAAS, or a custom backend.
Looks like
pattern<user\s+username="[^"]+"\s+password="[^"]+"\s+roles="[^"]*"\s*/?>Location
$CATALINA_BASE/conf/tomcat-users.xml$CATALINA_BASE/conf/server.xml, META-INF/context.xmlRealm, DataSourceRealm, JDBCRealm, JNDIRealm, and JAASRealm configuration
JDBCRealm or DataSourceRealm user and role tables
application login forms protected by Servlet security constraints
context.xml, web.xml, test fixtures, deployment templates
Notes
Realm password storage depends on the configured Realm and digest settings. For LOLCreds purposes, the concrete credential location is the configured Realm backend plus any copied deployment artifacts.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.