I have installed tomcat 9 on a remote sever and after starting it, it was brought up fine, I can access http://host_name:port_num and see tomcat hello page. But when I try to open manager app to see my deployed apps, I get 403 access denied, I already add roles in tomcat user xml as following:
<role rolename="manager"/>
<role rolename="manager-gui"/>
<role rolename="admin"/>
<user username="user" password="password" roles="admin,manager,manager-gui"/>
The error messages I saw is:
By default the Host Manager is only accessible from a browser running on the same machine as Tomcat. If you wish to modify this restriction, you'll need to edit the Host Manager's context.xml file.
How should I change context.xml file and get access to manager app?
This question is related to
tomcat
For Tomcat v8.5.4 and above, the file <tomcat>/webapps/manager/META-INF/context.xml
has been adjusted:
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>
Change this file to comment the Valve
:
<Context antiResourceLocking="false" privileged="true" >
<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>
After that, refresh your browser (not need to restart Tomcat), you can see the manager page.
To access the tomcat manager from different machine you have to follow bellow steps:
1. Update conf/tomcat-users.xml file with user and some roles:
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user username="admin" password="admin" roles="manager-gui,manager-script,manager-jmx,manager-status"/>
Here admin user is assigning roles="manager-gui,manager-script,manager-jmx,manager-status".
Here tomcat user and password is : admin
2. Update webapps/manager/META-INF/context.xml file (Allowing IP address):
Default configuration:
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
<Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
Here in Valve it is allowing only local machine IP start with 127.\d+.\d+.\d+ .
2.a : Allow specefic IP:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|YOUR.IP.ADDRESS.HERE" />
Here you just replace |YOUR.IP.ADDRESS.HERE with your IP address
2.b : Allow all IP:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow=".*" />
Here using allow=".*" you are allowing all IP.
Thanks :)
Following two configuration is working for me.
1 .tomcat-users.xml details
--------------------------------
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<role rolename="tomcat"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="admin" password="admin" roles="admin-gui"/>
<user username="adminscript" password="adminscrip" roles="admin-script"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
<user username="status" password="status" roles="manager-status"/>
<user username="both" password="both" roles="manager-gui,manager-status"/>
<user username="script" password="script" roles="manager-script"/>
<user username="jmx" password="jmx" roles="manager-jmx"/>
2. context.xml of <tomcat>/webapps/manager/META-INF/context.xml and
<tomcat>/webapps/host-manager/META-INF/context.xml
------------------------------------------------------------------------
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow=".*" />
<Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
Source: Stackoverflow.com