2

I have tomcat 8 setup on ubuntu 16.04 on a remote server. I want to access the gui manager app from my local machine. Visiting the page /manager/html, I get a 403 access denied page with the following info:

By default the Host Manager is only accessible from a browser running on the same machine as Tomcat. If you wish to modify this restriction, you'll need to edit the Host Manager's context.xml file.

and it says to add the following to this file:

/conf/tomcat-users.xml

<role rolename="manager-gui"/>
<user username="username" password="password" roles="manager-gui"/>

I've done that, restarted tomcat:

sudo systemctl restart tomcat

but I get the same error page.

Any idea what I'm missing?

Thanks

user3203425
  • 153
  • 1
  • 1
  • 6

3 Answers3

6

For Tomcat v8.5.4 and above, the file <tomcat>/webapps/manager/META-INF/context.xml has been adjusted:

<Context antiResourceLocking="false" privileged="true" >
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>

Change this file to comment the Valve:

<Context antiResourceLocking="false" privileged="true" >
    <!--
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
    -->
</Context>

After that, refresh your browser (not need to restart Tomcat), you can see the manager page.

jqgsninimo
  • 161
  • 2
0

The context.xml file to edit, invoked by the error page:

$CATALINA_HOME/webapps/manager/META-INF/context.xml

assuming CATALINA_HOME is a tomcat installation location. This is a context configuration file for the manager web application. In this file you find typically :

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />

In this line, "allow" field contains pipe separated list of IP addresses that allowed to access manager web app.Add, at the end of this field value, a pipe and your IP address.

After that, simply refresh your browser, no restart of tomcat is need.

Abdelhamid MEDDEB
  • 501
  • 4
  • 5
0

For Tomcat versions 7 and up.
As of Tomcat 7 some things changed to increase tomcat security. When editing the tomcat-users.xml file you need to use existing file and leave the tomcat-users xmlns information as is and simply add:

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
   version="1.0">
<role rolename="manager-gui"/>
<user username="SOMEUSER" password="YOURPASS" roles="manager-gui"/>

Please note that manager is now manager-gui instead of just manager. There are several different manager types:

manager-gui
manager-script
manager-status
manager-jmx

Last step - Allowing Access

By default the Host Manager is only accessible from a browser running on the same machine as Tomcat. If you wish to modify this restriction, you'll need to edit tomcat/webapps/manager/META-INF/context.xml to allow all ips or just yours.

Below configuration is for allowing all IPs to access the manager:

Replace

allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"

with

allow=".*"

Example:

<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
 allow=".*" />
</Context>

Finally - restart tomcat and then navigate to yourdomain.com/manager/html

Thomas
  • 4,225
  • 5
  • 23
  • 28
dushyant
  • 1