By Administrator Updated: Friday, 29 April 2011 08:52

Tomcat Manager Access

Friday, 29 April 2011 07:55

How to gain access to Tomcat Manager Webapp

The Tomcat Manager Web application is packaged with the Tomcat server. It is installed in the context path of /manager and provides the basic functionality to manage Web applications running in the Tomcat server.

Some of the provided functionality includes the ability to install, start, stop, remove, and report on Web applications.

Configure Tomcat user authentication

Before you can use the Manager, you must set up a new user with the appropriate privileges to access the /manager web application otherwise you will get a 403 Access Denied error.

Note that for Tomcat 7 onwards, the roles required to use the manager application were changed from the single manager role to the following four roles. You will need to assign the role(s) required for the functionality you wish to access.

Tomcat 7 roles
Role	Description
manager-gui	allows access to the HTML GUI and the status pages
manager-script	allows access to the text interface and the status pages
manager-jmx	allows access to the JMX proxy and the status pages
manager-status	allows access to the status pages only

It does this by using the�sub-element, which is listed in the following code snippet:

<role-name>
<role-name>manager</role-name>
</role-name>

The value of this sub-element states that only users with a role of manager can access the resource protected by this security constraint. What this all boils down to is that, if you want access to the manager application, you need to add a new user with a role of manager.

You add such a user by inserting an entry in the TOMCAT_HOME/conf/tomcat_users.xml file, which contains all of the defined users in Tomcat. If you haven't changed this file before, it should look similar to the following code snippet:


<tomcat-users>
    <role rolename="manager-gui"/>
    <user name="manager" password="password" roles="manager-gui" />
</tomcat-users>

Memory Realm configuration

MemoryRealm - Accesses authentication information stored in an in-memory object collection, which is initialized from an XML document ( conf/tomcat-users.xml ).

The following environmental dependencies must be met in order for MemoryRealm to operate correctly:

The desire to utilize MemoryRealm must be registered in $CATALINA_HOME/conf/server.xml, in a element that is nested inside a corresponding <Engine> , <Host> , <Context> or element.
(This is not already included in the default server.xml file for Tomcat 7).

Server.xml configuration


 <Engine name="Catalina" defaultHost="localhost">
 <Realm className="org.apache.catalina.realm.MemoryRealm" />
 ...
 </Engine>

Warning

The HTML interface is protected against CSRF but the text and JMX interfaces are not. To maintain the CSRF protection:

users with the manager-gui role should not be granted either the manager-script or manager-jmx roles.
if the text or jmx interfaces are accessed through a browser (e.g. for testing since these interfaces are intended for tools not humans) then the browser must be closed afterwards to terminate the session.

Tags: user , status , tomcat , access , manager , role , manager-gui

Comments

0 #1 Oscar 2011-11-09 02:27

At last, a clear explanation of this issue. Thank you very much sir, it's been really helpful for me

Quote

Refresh comments list
RSS feed for comments to this post

Add comment

JComments