I just deployed SpringBoot App WAR file to tomcat 8 server and need to check app status. However,I'm getting:401 Unauthorized while trying to access Tomcat App Manager:
You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp.
I've restarted server after adding roles to tomcat-users.xsd.Below is my tomcat-users.xsd:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<role rolename="tomcat"/>
<role rolename="manager-gui"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,manager-gui"/>
<user username="manager-gui" password="tomcat" roles="manager-gui"/>
</tomcat-users>
Related
I am trying to deploy a WAR on the remote Tomcat (Remote Machine) using Jenkins deploy to container Plugin.
I have done the following configuration in tomcat-users.xml
<user username="deployer" password="deployer" roles="manager-gui,manager-script,admin" />
I have setup the proper username password and port in Jenkins deployer container plugin. The setup is working fine for the local Tomcat.
But for remote Tomcat I keep getting the following error:
Caused by: org.codehaus.cargo.container.tomcat.internal.TomcatManagerException: The username you provided is not allowed to use the text-based Tomcat Manager (error 403) at org.codehaus.cargo.container.tomcat.internal.TomcatManager.invoke(TomcatManager.java:555)
at org.codehaus.cargo.container.tomcat.internal.TomcatManager.list(TomcatManager.java:686)
at org.codehaus.cargo.container.tomcat.internal.TomcatManager.getStatus(TomcatManager.java:699)
at org.codehaus.cargo.container.tomcat.internal.AbstractTomcatManagerDeployer.redeploy(AbstractTomcatManagerDeployer.java:174)
... 16 more
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: http://1.203.190.5:8080/manager/text/list
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at org.codehaus.cargo.container.tomcat.internal.TomcatManager.invoke(TomcatManager.java:544) ... 19 more
This seems to be a Jenkins bug but I got around the problem by setting up following configuration in Tomcat:
Edit the file /webapps/manager/META-INF/context.xml:
Previous:
<Context antiResourceLocking="false" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>
Change this file to comment the Value:
<Context antiResourceLocking="false" privileged="true">
<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>
This resolved the issue.
I was facing the same issue while deploying artifact to tomcat with jenkins via container plugin,
Solution:- i have added manager-script and manager-gui in the roles of the user and provide the full access to webapps/* directory. It helps me to deploy the artifact successfully and able to view it with manager-app.
My OS : Debain 10
I solved this by editing file /opt/tomcat/conf/tomcat-users.xml and added manager-script role
<role rolename="admin-gui,manager-gui,manager-script,manager-jmx,manager-status,admin-gui"/>
<user username="admin" password="password" roles="admin-gui,manager-gui,manager-script"/>
You just need to add the jenkins IP address to the valve.
You need to update : /webapps/manager/META-INF/context.xml. Because it allows only localhost. If you know the specific hostname or IP, you can add it replacing XXX.XXX.XXX.XXX by the IP address.
It's realy important to keep the security in place.
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|XXX.XXX.XXX.XXX" />
</Context>
After that, you need to restart tomcat.
$CATALINA_HOME/bin/shutdown.sh && $CATALINA_HOME/bin/startup.sh
If nothing works simply create another user in tomcat-users.xml file with magnager-script role assigned and set this user credential to jenkins .
In tomcat-users.xml file
<tomcat-users>
<user username="deployuser" password="deployuser" roles="manager-script" />
<user username="admin" password="admin" roles="manager-gui" />
</tomcat-users>
In Tomcat 9, you don't need to add any manager-XXX roles. All you have to do is add the users and and assign the manager-gui (for GUI access) and manager-script (for access like Jenkins deployment ).
Also, make sure to edit the file /webapps/manager/META-INF/context.xml, either to comment out valve or define appropriate reg ex for allow attribute
Step 1:
We need to update : \webapps\manager\META-INF\context.xml. Bcs it allows only localhost. If you know the specific hostname or IP, you can add.
<Context antiResourceLocking="false" privileged="true" >
<!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>
Step 2:
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-gui, manager-script"/>
Deployment went successful.
I had the same issue. Changing the username to "admin" should do the work.
I'm having a problem accessing to tomcat manager app on localhost. As I installed tomcat to my mac, it didn't ask to set username or password (as it does on windows). But if I try to login to manager app it requires both of them.
What I've tried so far:
1) I took the username and password from tomcat-user.xml and tried to login
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
<!--
NOTE: The sample user and role entries below are wrapped in a comment
and thus are ignored when reading this file. Do not forget to remove
<!.. ..> that surrounds them.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
-->
</tomcat-users>
2) Then I uncommented role and user tags (by default they are commented) and tried to login
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
<!--
NOTE: The sample user and role entries below are wrapped in a comment
and thus are ignored when reading this file. Do not forget to remove
<!.. ..> that surrounds them.
-->
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
</tomcat-users>
3) Then I added some extra lines to xml, that are described here https://wiki.apache.org/tomcat/TomcatOnMacOS under step 3 and tried to login
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
<!--
NOTE: The sample user and role entries below are wrapped in a comment
and thus are ignored when reading this file. Do not forget to remove
<!.. ..> that surrounds them.
-->
<role rolename="tomcat"/>
<role rolename="role1"/>
<role rolename="manager"/>
<role rolename="admin"/>
<user username="tomcat" password="tomcat" roles="tomcat,admin,manager"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
</tomcat-users>
but so far nothing has helped. Any suggestions how to solve this problem?
If you press cancel on the basic authentication that pops up it should list the roles you're missing/are needing.
I have this config for my tomcat 8:
<role rolename="manager-gui"/>
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="admin" password="password" roles="manager-gui,admin-gui,manager-script"/>
It's been a while since I've actively and willingly used the manager application, but there are two common caveats. One is written in the snippet that you copied in your question
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
e.g. you might need a manager-gui role. However, due to my abstinence of using this app, I'm not 100% sure that this is indeed the case, manager might be sufficient.
The other common problem is something that you don't mention: tomcat-users.xml will only be read once at startup. If you change it while tomcat runs, you need to restart tomcat in order to pick up the changes - or configure a different realm that uses a proper database. tomcat-users.xml is just a quick-and-dirty implementation of a realm, that's not really good for production use IMHO (unless limitations like this are fine for you).
Try setting the manager-gui role. This would work
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<role rolename="tomcat"/>
<role rolename="manager-gui"/>
<user username="tomcat" password="password1" roles="tomcat, manager-gui"/>
</tomcat-users>
I am trying to access the manager app in tomcat7. However it doesnot even ask for credentials and shows 403 access denied directly. I have already set my conf/tomcat-users.xml file. Here is a snapshot :
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<role rolename="manager"/>
<role rolename="manager-gui"/>
<role rolename="admin"/>
<role rolename="admin-gui"/>
<role rolename="manger-script"/>
<user password="user1" roles="admin-gui" username="user1"/>
<user password="user1" roles="manager-gui" username="user1"/>
<user password="tomcat" roles="tomcat" username="tomcat"/>
<user password="user1" roles="manager" username="user1"/>
<user password="tomcat" roles="tomcat,role1" username="both"/>
<user password="tomcat" roles="role1" username="role1"/>
<user password="user1" roles="manager-script,admin,tomcat" username="user1"/>
</tomcat-users>
It was working fine for me a few days ago, though! Also, this is not a duplicate of this link or any other as I am not even getting a prompt for credentials.
I am added user and roles as follows on my linux(fedora 17) machine with tomcat 7, but still i am getting 403 access denied error. How to resolve this?
<role rolename="tomcat"/>
<role rolename="manager"/>
<role rolename="admin"/>
<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="tomcat" password="tomcat" roles="admin_gui,manager_gui"/>
<user username="admin" password="admin" roles="admin,manager,admin_gui,manager_gui"/>
<user username="hextek" password="123456" roles="admin,admin_gui,manager,manager_gui"/>
Check role names that you use in use definition. They are different from standard, and those you define.
Should be manager-gui
Note that for Tomcat 6.0.30 onwards, the roles required to use the
manager application were changed from the single manager role to add
the following four roles. (The manager role is still available but
should not be used as it avoids the CSRF protection). You will need to
assign the role(s) required for the functionality you wish to access.
manager-gui - allows access to the HTML GUI and the status pages
manager-script - allows access to the text interface and the status pages
manager-jmx - allows access to the JMX proxy and the status pages
manager-status - allows access to the status pages only
I had same problem with manager access denied and couldn't enter into manager GUI but after adding these lines to server.xml in conf folder
LINE 103..
add after
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.MemoryRealm" />
and tomcat-users.xml file
<tomcat-users>
<role rolename="manager-gui"/>
<user name="manager" password="password" roles="manager-gui" />
</tomcat-users>`
.... now good to go..
I got the same problem as Raman, I add "admin-gui" role and able to get host-manager pages.
Here's the ref: http://www.gayward-concepts.com/cannot-access-host-manager-in-tomcat7/
Add following to the "tomcat-users.xml" under "tomcat-users" tag. (Better to comment existings in between "tomcat-users" tag)
<role rolename="manager-gui"/>
<role rolename="admin-gui"/>
<user username="admin" password="admin" roles="manager-gui,admin-gui"/>
Save and restart tomcat!!
If you are still receiving 403 despite having configured tomcat-users.xml properly, do take a look at the content.xml within manager.
Example,
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>
Notice it requires you to use 127.0.0.1 or [::1], so modify this according to your security requirements.
It often happens when you modify the config file in your Tomcat directory installation, but if you are using Tomcat with NetBeans for example, the conf file to be modiefied is not that one:
For Window User go to:
C:\Users\YOURACCOUNTNAME.netbeans\7.1.2\apache-tomcat-7.0.22.0_base\conf
To use the web administration gui you have to add the gui role :
<tomcat-users>
<role rolename="manager-script"/>
<role rolename="manager-gui"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user username="tomcat" password="tomcat" roles="manager-gui,manager-status"/>
</tomcat-users>
In my tomcat-users.xml, I have
<tomcat-users>
<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="admin" password="pass" roles='admin-gui,manager-gui'/>
</tomcat-users>
When I try to access http://localhost:8080/manager/html using the username and password, it does not log me in. The same authentication box appears again.
Put your roles in double quotes:
<user username="admin" password="pass" roles="admin-gui,manager-gui"/>
I found it was necessary to restart the tomcat server and restart/close/reopen the browser after changing the tomcat-user.xml.
This then worked.
when restarting the tomcat server I use the ./shutdown.sh wait a couple of seconds then use the ./startup.sh from the tomcat bin directory. This gives the server a chance to reload.