|
1 | | -# Vault4Tomcat |
| 1 | +# Vault4Tomcat (VaultCat) |
| 2 | + |
| 3 | +A lightweight **HashiCorp Vault** integration for **Apache Tomcat**. |
| 4 | +Securely fetch secrets at runtime, eliminate hardcoded credentials, and simplify Tomcat configuration. |
| 5 | + |
| 6 | + |
| 7 | + |
| 8 | + |
| 9 | +## Introduction |
| 10 | + |
| 11 | +**Vault4Tomcat** integrates **HashiCorp Vault** with **Apache Tomcat** to securely manage secrets in Tomcat configuration files. |
| 12 | + |
| 13 | +It dynamically resolves `${vault:path#key}` placeholders. |
| 14 | + |
| 15 | +🔹 **Dynamic Secret Resolution** → Fetch secrets at runtime from HashiCorp Vault. |
| 16 | + |
| 17 | +**TODO:** |
| 18 | +🔹 **JNDI Integration** |
| 19 | +🔹 **Multi-Auth Support** |
| 20 | +🔹 **Secret Caching** |
| 21 | +🔹 **CLI Tool** |
| 22 | + |
| 23 | + |
| 24 | +**Security-First**: No more hardcoded passwords in configuration files. |
| 25 | + |
| 26 | +--- |
| 27 | + |
| 28 | +## Installation |
| 29 | + |
| 30 | +### Prerequisite: Have a Hasicorp Vault deployed |
| 31 | +Example deployment: |
| 32 | +``` |
| 33 | +podman run --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=my-root-token' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' -p 8200:8200 hashicorp/vault |
| 34 | +``` |
| 35 | +in the container: |
| 36 | +``` |
| 37 | +export VAULT_ADDR=http://127.0.0.1:8200 |
| 38 | +export VAULT_TOKEN=my-root-token |
| 39 | +vault kv put secret/myapp/config username="admin" password="s3cr3t" |
| 40 | +vault kv get secret/myapp/config |
| 41 | +``` |
| 42 | + |
| 43 | +### 1. Download the latest release: |
| 44 | +[Vault4Tomcat Releases](https://github.com/dsoumis/Vault4Tomcat/releases) |
| 45 | + |
| 46 | +### 2. Drop the JAR into Tomcat’s `lib/` directory: |
| 47 | +``` |
| 48 | +cp vault4tomcat.jar $CATALINA_BASE/lib/ |
| 49 | +``` |
| 50 | +### 3. Define environment variables or create a `conf/vault.properties` file: |
| 51 | +``` |
| 52 | +vault.address=<http://127.0.0.1:8200> |
| 53 | +vault.token=<my-root-token> |
| 54 | +vault.ssl.verify=true |
| 55 | +``` |
| 56 | + |
| 57 | +### 4. Register the Property Source in `conf/catalina.properties`: |
| 58 | +``` |
| 59 | +org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.mycompany.tomcat.VaultPropertySource |
| 60 | +``` |
| 61 | + |
| 62 | +### 5. Use Vault secrets in `.xml` files: |
| 63 | +``` |
| 64 | +<Resource name="jdbc/MyDB" auth="Container" type="javax.sql.DataSource" |
| 65 | +username="myuser" |
| 66 | +password="${vault:database/creds#password}" |
| 67 | +driverClassName="com.mysql.cj.jdbc.Driver" |
| 68 | +url="jdbc:mysql://dbhost/mydb"/> |
| 69 | +``` |
| 70 | + |
| 71 | +--- |
| 72 | + |
| 73 | +## How It Works |
| 74 | +Vault4Tomcat intercepts `${vault:path#key}` placeholders in Tomcat config files and replaces them with secrets from HashiCorp Vault. |
| 75 | + |
| 76 | +1. Tomcat starts up and loads configuration. |
| 77 | +2. VaultPropertySource detects placeholders like ${vault:...}. |
| 78 | +3. It queries Vault via VaultClient and retrieves secrets. |
| 79 | +4. Secrets are injected into Tomcat’s configuration at runtime. |
| 80 | +5. Secret caching reduces Vault API calls for performance. |
| 81 | + |
| 82 | +## Licensing |
| 83 | +Vault4Tomcat is open-source and licensed under the Apache License 2.0. |
| 84 | + |
| 85 | +## Contributing |
| 86 | +To submit a GitHub Pull Request you'll need to fork the repository, clone your fork to do the work: |
| 87 | + |
| 88 | +$ git clone https://github.com/$USERNAME/Vault4Tomcat.git |
| 89 | + |
| 90 | +and then push your changes, and submit a Pull Request via the GitHub UI. |
0 commit comments