403 Access Denied on Tomcat 8 Manager App without prompting for user password

Question

I have set up tomcat 8 according to this  and I have the following tomcat-users xml file    lt  xml version  1 0  encoding  UTF-8   gt   lt tomcat-users xmlns  http   tomcat apache org xml                xmlns xsi  http   www w3 org 2001 XMLSchema-instance                xsi schemaLocation  http   tomcat apache org xml tomcat-users xsd                version  1 0  gt      lt role rolename  manager-gui   gt     lt role rolename  manager-script   gt      lt user username  notadmin  password  not real pass  roles  manager-gui   gt     lt user username  cargo  password  not real pass  roles  manager-script   gt   lt tomcat-users  gt    When I try to access the Manager App  I get rejected with 403 without any prompt for username and password   What did I miss in the config   Edit1  Added full xml file

User · Answer

The solution that worked for me is edit context.xml files in both $CATALINA_HOME/webapps/manager/META-INF and $CATALINA_HOME/webapps/host-manager/META-INF where my ip is 123.123.123.123.

<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|123.123.123.123" />
</Context>

I installed Tomcat 8.5 on Ubuntu and edited $CATALINA_HOME/conf/tomcat-users.xml:

<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="myuser" password="mypass" roles="admin-gui,manager-gui"/>

However, I still couldn't access both Tomcat Web Application Manager (localhost:8080/manager/html) and Tomcat Virtual Host Manager (localhost:8080/host-manager/html) until I edited context.xml files.

User · Answer

If non of above works for you  make sure tomcat has access to manager folder under webapps  chown       The message is the exact same message  and It took me 2 hours to figure out the problem   -   just for someone else who came here for the same issue as me

User · Answer

copy the below content to file tomcat-users xml   lt  xml version  1 0  encoding  utf-8   gt   lt  --   Licensed to the Apache Software Foundation  ASF  under one or more   contributor license agreements   See the NOTICE file distributed with   this work for additional information regarding copyright ownership    The ASF licenses this file to You under the Apache License  Version 2 0    the  License    you may not use this file except in compliance with   the License   You may obtain a copy of the License at        http   www apache org licenses LICENSE-2 0    Unless required by applicable law or agreed to in writing  software   distributed under the License is distributed on an  AS IS  BASIS    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND  either express or implied    See the License for the specific language governing permissions and   limitations under the License  -- gt   lt tomcat-users xmlns  http   tomcat apache org xml                xmlns xsi  http   www w3 org 2001 XMLSchema-instance                xsi schemaLocation  http   tomcat apache org xml tomcat-users xsd                version  1 0  gt   lt  --   NOTE   By default  no user is included in the  manager-gui  role required   to operate the   manager html  web application   If you wish to use this app    you must define such a user - the username and password are arbitrary  It is   strongly recommended that you do NOT use one of the users in the commented out   section below since they are intended for use with the examples web   application  -- gt   lt  --   NOTE   The sample user and role entries below are intended for use with the   examples web application  They are wrapped in a comment and thus are ignored   when reading this file  If you wish to configure these users for use with the   examples web application  do not forget to remove the  lt        gt  that surrounds   them  You will also need to set the passwords to something appropriate  -- gt   lt  --    lt role rolename  tomcat   gt     lt role rolename  role1   gt     lt user username  tomcat  password   lt must-be-changed gt   roles  tomcat   gt     lt user username  both  password   lt must-be-changed gt   roles  tomcat role1   gt     lt user username  role1  password   lt must-be-changed gt   roles  role1   gt  -- gt   lt role rolename  manager-gui   gt   lt role rolename  manager-script   gt    lt user username  notadmin  password  not real pass  roles  manager-gui   gt   lt user username  cargo  password  not real pass  roles  manager-script   gt     lt  tomcat-users gt    I have tested  it just works

User · Answer

lt role rolename  tomcat   gt     lt role rolename  manager-gui   gt     lt role rolename  admin-gui   gt     lt role rolename  manager-script   gt     lt role rolename  manager-jmx   gt     lt user username  admin  password  admin  roles  tomcat manager-gui admin-gui manager-script manager-jmx   gt    Close all the session  once closed  ensure open the URL in incognito mode login again and it should start working

User · Answer

Useful link  here  Access Tomcat Manager App from different host  From Tomcat version 8 onward s  manager html url won t be accessible to anyone except localhost    In order to access  manager html url  you need to do below change in context xml of manager app  1  Go to  apache-tomcat-8 5 23 webapps manager META-INF location  then edit context xml   lt Context antiResourceLocking  false  privileged  true   gt     lt Valve className  org apache catalina valves RemoteAddrValve           allow          gt           lt  Context gt     Restart the server

User · Answer

Correct answer can be found here    Looks like this issue can be reproduced while folowing mentioned tutorial on unix machines  Also noticed that author uses TC 8 0 33 Win  and OSX  do not have such issue  at least on my env   Server version         Apache Tomcat 8 5 4 Server built           Jul 6 2016 08 43 30 UTC Server number          8 5 4 0 OS Name                Windows 8 1 OS Version             6 3 Architecture           amd64 Java Home              C  TOOLS jdk1 8 0 101 jre JVM Version            1 8 0 101-b13 JVM Vendor             Oracle Corporation CATALINA BASE          C  TOOLS tomcat apache-tomcat-8 5 4 CATALINA HOME          C  TOOLS tomcat apache-tomcat-8 5 4   After tomcat-users xml is modified by adding role and user Tomcat Web Application Manager can be accessed on Tomcat 8 5 4

User · Answer

In my case it was the security constraints defined in web xml  Make sure they have the same roles you use in your tomcat-users xml file   For example  this is one of the out-of-the-box tags and will work with the standard tomcat-users xml     lt security-constraint gt       lt web-resource-collection gt         lt web-resource-name gt HTML Manager interface  for humans  lt  web-resource-name gt         lt url-pattern gt  html   lt  url-pattern gt       lt  web-resource-collection gt       lt auth-constraint gt          lt role-name gt manager-gui lt  role-name gt       lt  auth-constraint gt     lt  security-constraint gt    In my case an admin had used a different role-name which prevented me from accessing the manager

User · Answer

I foolishly uncommented the default config  which has passwords like     Tomcat fails to parse this file  becayse of the   lt     and then whatever other config you add won t work-

User · Answer

I have to modify the following files    CATALINA BASE conf Catalina localhost manager xml and add following line     lt Context privileged  true  antiResourceLocking  false        docBase    catalina home  webapps manager  gt           lt Valve className  org apache catalina valves RemoteAddrValve  allow          gt     lt  Context gt    This will allow tomcat to be accessed from any machine  if you want to grant access to specific IP then use the below value instead of allow              lt Valve className  org apache catalina valves RemoteAddrValve  allow  192  168  11  234    gt

User · Answer

fade s answer worked for me  I moved from 8 0 30 to 8 5 5 and the difference was the valve in  lt 8 0 30  manager META-INF context xml was already commented out from the tar file but was uncommented in 8 5 5 tar   I failed to read this important message in the 403 response      By default the Manager is only accessible from a browser running on   the same machine as Tomcat  If you wish to modify this restriction    you ll need to edit the Manager s context xml file    And failed to read this too      Since r1734267 a RemoteAddrValve is configured by default in Manager   and HostManager web applications  This feature is present in 9 0 0 M4   and 8 5 0 onwards    https   bz apache org bugzilla show bug cgi id 59672

User · Answer

Go and Check if a user is created or not if no please create a user by opening a file in  apache-tomcat-9 0 20 tomcat-users xml add a line into it   lt user username  tomcat  password  tomcat  roles  admin-gui manager-gui manager-script    gt  Goto  apache-tomcat-9 0 20 webapps manager META-INF  open context xml comment everything in context tag example     lt Context antiResourceLocking  false  privileged  true   gt        lt  --Valve className  org apache catalina valves RemoteAddrValve              allow  127   d    d    d    1 0 0 0 0 0 0 0 1   -- gt      lt  Context gt

User · Answer

I follwed the same tutorial but after some months I strangely got the error  403 Access Denied   while tryed to use Manager App  In this case I was using the ipaddress 8080 in the address bar and Tomcat Manager App didin t prompting for user password  In case of localhost 8080 the error was  401   the dialogbox asking for username and password was displayed but the user not recognized   I tried all the previous suggestions   solutions without lucky  The only way I found is been to repeat again the entire tutorial overwriting also the files   When finished  I  found again the old deployed project into the webapps directory  Now Apache Tomcat 8 5 16 Manager App are working again  I do not know what happened I didn t understand also because I m a newbie in Tomcat user

User · Answer

I was having same problem while installing tomcat in docker  I have solved by adding        instead of  127  d   d   d    1 0 0 0 0 0 0 0 1 123 123 123 123   Restart the tomcat

User · Answer

I had to add both manager-gui and manager-script roles for it to work  in version 9   After getting the access to MangerApp  while trying to upload  war file  I got the exception  org apache tomcat util http fileupload FileUploadBase IOFileUploadException   which I was able to solve using the answer of this post  To get access for Host Manager  check this post

User · Answer

The correct answer is as  JaKu pointed out  Tomcat is confining the access to localhost to make it secure  This is as it should be  Port forwarding to tomcat is the correct thing to do  preferably under something secure like SSH

User · Answer

This may be work   Find the CATALINA HOME webapps manager META-INF context xml file and add the comment markers around the Valve    lt Context antiResourceLocking  false  privileged  true   gt    lt  --  lt Valve className  org apache catalina valves RemoteAddrValve  allow  127   d    d    d    1 0 0 0 0 0 0 0 1    gt  -- gt    lt  Context gt    You can find more details at this page

[tomcat] 403 Access Denied on Tomcat 8 Manager App without prompting for user/password

Examples related to tomcat

Examples related to tomcat8