Tomcat 8.0 - tomcat-users file being ignored, failing to restrict access to manager app

Question

My tomcat server is presently running the manager app unprotected. We would like to continue using this as our primary means of starting, stopping and deploying applications.

Our tomcat-users file looks like this:

<tomcat-users xmlns="http://tomcat.apache.org/xml"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
          version="1.0">
<user username="tcadmin" password="P98ohnoes" roles="admin-gui,manager-gui" />    

</tomcat-users>

Having tested with multiple people here, we find that:

http://servername:8080/manager

loads up the manager interface for them without a password challenge.

What am I missing?

We're running this on Windows Server 2012 R2 on port 8080, while we have IIS running on port 80.

I have tried restarting the server, and have reviewed our Dev and QA servers to make sure the server.xml and tomcat-users.xml, and web.xml files are all in parity and find nothing different. On each of those servers, security is working. They are running on Windows 7 64 bit on port 80 with no other web servers running in parallel.

Update

From Tim Holloway at Java Ranch, I have learned that we should be concerned with our GlobalNamingResources configuration in the server.xml file. I have reviewed that and confirmed it matches our working server configurations.

<GlobalNamingResources>
<!-- Editable user database that can also be used by
     UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
          type="org.apache.catalina.UserDatabase"
          description="User database that can be updated and saved"
          factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>

And the Realm:

<Realm className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
  </Realm>

I also followed Tim's suggestion to check up on access to the /conf/tomcat-users.xml for the Tomcat UserID, which we run as a service under the System logon, which has full control permissions for that file.

And yet, security seems to be ignored after a restart.

Answer 1

The solution, provided by Tim Holloway at Java Ranch, was to simply replace the manager folder in the webapps directory. There were apparently some undocumented changes made there, not sure what, which was causing our issue.