I have installed tomcat 9 on a remote sever and after starting it it was brought up fine I can access http host name port num and see tomcat hello page But when I try to open manager app to see my deployed apps I get 403 access denied I already add roles in tomcat user xml as following lt role rolename manager gt lt role rolename manager-gui gt lt role rolename admin gt lt user username user password password roles admin manager manager-gui gt The error messages I saw is By default the Host Manager is only accessible from a browser running on the same machine as Tomcat If you wish to modify this restriction you ll need to edit the Host Manager s context xml file How should I change context xml file and get access to manager app

For Tomcat v8 5 4 and above the file lt tomcat gt webapps manager META-INF context xml has been adjusted lt Context antiResourceLocking false privileged true gt lt Valve className org apache catalina valves RemoteAddrValve allow 127 d d d 1 0 0 0 0 0 0 0 1 gt lt Context gt Change this file to comment the Valve lt Context antiResourceLocking false privileged true gt lt -- lt Valve className org apache catalina valves RemoteAddrValve allow 127 d d d 1 0 0 0 0 0 0 0 1 gt -- gt lt Context gt After that refresh your browser not need to restart Tomcat you can see the manager page

To access the tomcat manager from different machine you have to follow bellow steps 1 Update conf tomcat-users xml file with user and some roles lt role rolename quot manager-gui quot gt lt role rolename quot manager-script quot gt lt role rolename quot manager-jmx quot gt lt role rolename quot manager-status quot gt lt user username quot admin quot password quot admin quot roles quot manager-gui manager-script manager-jmx manager-status quot gt Here admin user is assigning roles quot manager-gui manager-script manager-jmx manager-status quot Here tomcat user and password is admin 2 Update webapps manager META-INF context xml file Allowing IP address Default configuration lt Context antiResourceLocking quot false quot privileged quot true quot gt lt Valve className quot org apache catalina valves RemoteAddrValve quot allow quot 127 d d d 1 0 0 0 0 0 0 0 1 quot gt lt Manager sessionAttributeValueClassNameFilter quot java lang Boolean Integer Long Number String org apache catalina filters CsrfPreventionFilter LruCache 1 java util Linked HashMap quot gt lt Context gt Here in Valve it is allowing only local machine IP start with 127 d d d 2 a Allow specefic IP lt Valve className quot org apache catalina valves RemoteAddrValve quot allow quot 127 d d d 1 0 0 0 0 0 0 0 1 YOUR IP ADDRESS HERE quot gt Here you just replace YOUR IP ADDRESS HERE with your IP address 2 b Allow all IP lt Valve className quot org apache catalina valves RemoteAddrValve quot allow quot quot gt Here using allow quot quot you are allowing all IP Thanks

Each deployed webapp has a context xml file that lives in CATALINA BASE conf enginename hostname conf Catalina localhost by default and has the same name as the webapp manager xml in this case If no file is present default values are used So you need to create a file conf Catalina localhost manager xml and specify the rule you want to allow remote access For example the following content of manager xml will allow access from all machines lt Context privileged quot true quot antiResourceLocking quot false quot docBase quot catalina home webapps manager quot gt lt Valve className quot org apache catalina valves RemoteAddrValve quot allow quot YOUR IP ADDRESS HERE quot gt lt Context gt Note that the allow attribute of the Valve element is a regular expression that matches the IP address of the connecting host So substitute your IP address for YOUR IP ADDRESS HERE or some other useful expression Other Valve classes cater for other rules e g RemoteHostValve for matching host names Earlier versions of Tomcat use a valve class org apache catalina valves RemoteIpValve for IP address matching Once the changes above have been made you should be presented with an authentication dialog when accessing the manager URL If you enter the details you have supplied in tomcat-users xml you should have access to the Manager

Following two configuration is working for me 1 tomcat-users xml details -------------------------------- lt role rolename manager-gui gt lt role rolename manager-script gt lt role rolename manager-jmx gt lt role rolename manager-status gt lt role rolename admin-gui gt lt role rolename admin-script gt lt role rolename tomcat gt lt user username tomcat password tomcat roles tomcat gt lt user username admin password admin roles admin-gui gt lt user username adminscript password adminscrip roles admin-script gt lt user username tomcat password s3cret roles manager-gui gt lt user username status password status roles manager-status gt lt user username both password both roles manager-gui manager-status gt lt user username script password script roles manager-script gt lt user username jmx password jmx roles manager-jmx gt 2 context xml of lt tomcat gt webapps manager META-INF context xml and lt tomcat gt webapps host-manager META-INF context xml ------------------------------------------------------------------------ lt Context antiResourceLocking false privileged true gt lt Valve className org apache catalina valves RemoteAddrValve allow gt lt Manager sessionAttributeValueClassNameFilter java lang Boolean Integer Long Number String org apache catalina filters CsrfPreventionFilter LruCache 1 java util Linked HashMap gt

[tomcat] Access Tomcat Manager App from different host

I have installed tomcat 9 on a remote sever and after starting it, it was brought up fine, I can access http://host_name:port_num and see tomcat hello page. But when I try to open manager app to see my deployed apps, I get 403 access denied, I already add roles in tomcat user xml as following:

<role rolename="manager"/>
<role rolename="manager-gui"/>
<role rolename="admin"/>
<user username="user" password="password" roles="admin,manager,manager-gui"/>

The error messages I saw is:

By default the Host Manager is only accessible from a browser running on the same machine as Tomcat. If you wish to modify this restriction, you'll need to edit the Host Manager's context.xml file.

How should I change context.xml file and get access to manager app?

This question is related to tomcat

The answer is

For Tomcat v8.5.4 and above, the file <tomcat>/webapps/manager/META-INF/context.xml has been adjusted:

<Context antiResourceLocking="false" privileged="true" >
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>

Change this file to comment the Valve:

<Context antiResourceLocking="false" privileged="true" >
    <!--
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
    -->
</Context>

After that, refresh your browser (not need to restart Tomcat), you can see the manager page.

To access the tomcat manager from different machine you have to follow bellow steps:

1. Update conf/tomcat-users.xml file with user and some roles:

<role rolename="manager-gui"/>
 <role rolename="manager-script"/>
 <role rolename="manager-jmx"/>
 <role rolename="manager-status"/>
 <user username="admin" password="admin" roles="manager-gui,manager-script,manager-jmx,manager-status"/>

Here admin user is assigning roles="manager-gui,manager-script,manager-jmx,manager-status".

Here tomcat user and password is : admin

2. Update webapps/manager/META-INF/context.xml file (Allowing IP address):

Default configuration:

<Context antiResourceLocking="false" privileged="true" >
  
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
  
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>

Here in Valve it is allowing only local machine IP start with 127.\d+.\d+.\d+ .

2.a : Allow specefic IP:

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|YOUR.IP.ADDRESS.HERE" />

Here you just replace |YOUR.IP.ADDRESS.HERE with your IP address

2.b : Allow all IP:

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow=".*" />

Here using allow=".*" you are allowing all IP.

Thanks :)

Following two configuration is working for me.

1 .tomcat-users.xml details
--------------------------------
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <role rolename="manager-status"/>
  <role rolename="admin-gui"/>
  <role rolename="admin-script"/>
  <role rolename="tomcat"/>


  <user  username="tomcat"  password="tomcat" roles="tomcat"/>

  <user  username="admin"  password="admin" roles="admin-gui"/>

  <user  username="adminscript"  password="adminscrip" roles="admin-script"/>

  <user  username="tomcat"  password="s3cret" roles="manager-gui"/>
  <user  username="status"  password="status" roles="manager-status"/>

  <user  username="both"    password="both"   roles="manager-gui,manager-status"/>

  <user  username="script"  password="script" roles="manager-script"/>
  <user  username="jmx"     password="jmx"    roles="manager-jmx"/>

2. context.xml  of <tomcat>/webapps/manager/META-INF/context.xml and 
<tomcat>/webapps/host-manager/META-INF/context.xml
------------------------------------------------------------------------
<Context antiResourceLocking="false" privileged="true" >

  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow=".*" />
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>

Source: Stackoverflow.com

Examples related to tomcat

• Jersey stopped working with InjectionManagerFactory not found • The origin server did not find a current representation for the target resource or is not willing to disclose that one exists. on deploying to tomcat • Spring boot: Unable to start embedded Tomcat servlet container • Tomcat 404 error: The origin server did not find a current representation for the target resource or is not willing to disclose that one exists • Spring Boot application in eclipse, the Tomcat connector configured to listen on port XXXX failed to start • Kill tomcat service running on any port, Windows • Tomcat 8 is not able to handle get request with '|' in query parameters? • 8080 port already taken issue when trying to redeploy project from Spring Tool Suite IDE • 403 Access Denied on Tomcat 8 Manager App without prompting for user/password • Difference between Xms and Xmx and XX:MaxPermSize

[tomcat] Access Tomcat Manager App from different host

The answer is

Examples related to tomcat

Tags