[tomcat] 403 Access Denied on Tomcat 8 Manager App without prompting for user/password

I have set up tomcat 8 according to this, and I have the following tomcat-users.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0"> 
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>

  <user username="notadmin" password="not_real_pass" roles="manager-gui"/>
  <user username="cargo" password="not_real_pass" roles="manager-script"/>
<tomcat-users/>

When I try to access the Manager App, I get rejected with 403 without any prompt for username and password.

What did I miss in the config?

Edit1: Added full xml file.

1. Go and Check if a user is created or not if no please create a user by opening a file in /apache-tomcat-9.0.20/tomcat-users.xml add a line into it

   <user username="tomcat" password="tomcat" roles="admin-gui,manager-gui,manager-script" />

2. Goto /apache-tomcat-9.0.20/webapps/manager/META-INF/ open context.xml comment everything in context tag example:

<Context antiResourceLocking="false" privileged="true" >
     <!--Valve className="org.apache.catalina.valves.RemoteAddrValve"
            allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /-->
   </Context>

If non of above works for you, make sure tomcat has access to manager folder under webapps (chown ...). The message is the exact same message, and It took me 2 hours to figure out the problem. :-)

just for someone else who came here for the same issue as me.

I foolishly uncommented the default config, which has passwords like "". Tomcat fails to parse this file (becayse of the "<"), and then whatever other config you add won't work-

The solution that worked for me is edit context.xml files in both $CATALINA_HOME/webapps/manager/META-INF and $CATALINA_HOME/webapps/host-manager/META-INF where my ip is 123.123.123.123.

<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|123.123.123.123" />
</Context>

I installed Tomcat 8.5 on Ubuntu and edited $CATALINA_HOME/conf/tomcat-users.xml:

<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="myuser" password="mypass" roles="admin-gui,manager-gui"/>

However, I still couldn't access both Tomcat Web Application Manager (localhost:8080/manager/html) and Tomcat Virtual Host Manager (localhost:8080/host-manager/html) until I edited context.xml files.

I was having same problem while installing tomcat in docker. I have solved by adding "^.*$" instead of "127.\d+.\d+.\d+|::1|0:0:0:0:0:0:0:1|123.123.123.123"

Restart the tomcat.

Useful link here: Access Tomcat Manager App from different host

From Tomcat version 8 onward's, manager/html url won't be accessible to anyone except localhost.

In order to access /manager/html url, you need to do below change in context.xml of manager app. 1. Go to /apache-tomcat-8.5.23/webapps/manager/META-INF location, then edit context.xml

<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="^.*$" />
 ......
</Context>

2. Restart the server.

In my case it was the security constraints defined in web.xml. Make sure they have the same roles you use in your tomcat-users.xml file.

For example, this is one of the out-of-the-box tags and will work with the standard tomcat-users.xml.

 <security-constraint>
    <web-resource-collection>
      <web-resource-name>HTML Manager interface (for humans)</web-resource-name>
      <url-pattern>/html/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>manager-gui</role-name>
    </auth-constraint>
  </security-constraint>

In my case an admin had used a different role-name which prevented me from accessing the manager.

I had to add both manager-gui and manager-script roles for it to work, in version 9.

After getting the access to MangerApp, while trying to upload .war file, I got the exception

org.apache.tomcat.util.http.fileupload.FileUploadBase$IOFileUploadException

which I was able to solve using the answer of this post

To get access for Host Manager, check this post

<role rolename="tomcat"/>
  <role rolename="manager-gui"/>
  <role rolename="admin-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <user username="admin" password="admin" roles="tomcat,manager-gui,admin-gui,manager-script,manager-jmx"/>


Close all the session, once closed, ensure open the URL in incognito mode login again and it should start working

This may be work.

Find the CATALINA_HOME/webapps/manager/META-INF/context.xml file and add the comment markers around the Valve.

<Context antiResourceLocking="false" privileged="true" >

<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->

</Context>

You can find more details at this page.

The correct answer is as @JaKu pointed out. Tomcat is confining the access to localhost to make it secure. This is as it should be. Port forwarding to tomcat is the correct thing to do, preferably under something secure like SSH.

fade's answer worked for me. I moved from 8.0.30 to 8.5.5 and the difference was the valve in <8.0.30>/manager/META-INF/context.xml was already commented out from the tar file but was uncommented in 8.5.5 tar.

I failed to read this important message in the 403 response:

By default the Manager is only accessible from a browser running on the same machine as Tomcat. If you wish to modify this restriction, you'll need to edit the Manager's context.xml file.

And failed to read this too:

Since r1734267 a RemoteAddrValve.is configured by default in Manager and HostManager web applications. This feature is present in 9.0.0.M4 and 8.5.0 onwards.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59672

I follwed the same tutorial but after some months I strangely got the error "403 Access Denied" while tryed to use Manager App. In this case I was using the ipaddress:8080 in the address bar and Tomcat Manager App didin't prompting for user/password. In case of localhost:8080 the error was "401", the dialogbox asking for username and password was displayed but the user not recognized.

I tried all the previous suggestions / solutions without lucky. The only way I found is been to repeat again the entire tutorial overwriting also the files. When finished, I found again the old deployed project into the webapps directory. Now Apache Tomcat/8.5.16 Manager App are working again. I do not know what happened I didn't understand also because I'm a newbie in Tomcat user

copy the below content to file tomcat-users.xml

<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary. It is
  strongly recommended that you do NOT use one of the users in the commented out
  section below since they are intended for use with the examples web
  application.
-->
<!--
  NOTE:  The sample user and role entries below are intended for use with the
  examples web application. They are wrapped in a comment and thus are ignored
  when reading this file. If you wish to configure these users for use with the
  examples web application, do not forget to remove the <!.. ..> that surrounds
  them. You will also need to set the passwords to something appropriate.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
<role rolename="manager-gui"/>
<role rolename="manager-script"/>

<user username="notadmin" password="not_real_pass" roles="manager-gui"/>
<user username="cargo" password="not_real_pass" roles="manager-script"/>


</tomcat-users>

I have tested, it just works!

I have to modify the following files

$CATALINA_BASE/conf/Catalina/localhost/manager.xml and add following line

  <Context privileged="true" antiResourceLocking="false" 
     docBase="${catalina.home}/webapps/manager">
        <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$" />
  </Context>

This will allow tomcat to be accessed from any machine, if you want to grant access to specific IP then use the below value instead of allow="^.*$"

    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192\.168\.11\.234" />