I am trying to deploy a WAR on the remote Tomcat (Remote Machine) using Jenkins deploy to container Plugin.
I have done the following configuration in tomcat-users.xml
<user username="deployer" password="deployer" roles="manager-gui,manager-script,admin" />
I have setup the proper username password and port in Jenkins deployer container plugin. The setup is working fine for the local Tomcat.
But for remote Tomcat I keep getting the following error:
Caused by: org.codehaus.cargo.container.tomcat.internal.TomcatManagerException: The username you provided is not allowed to use the text-based Tomcat Manager (error 403) at org.codehaus.cargo.container.tomcat.internal.TomcatManager.invoke(TomcatManager.java:555)
at org.codehaus.cargo.container.tomcat.internal.TomcatManager.list(TomcatManager.java:686)
at org.codehaus.cargo.container.tomcat.internal.TomcatManager.getStatus(TomcatManager.java:699)
at org.codehaus.cargo.container.tomcat.internal.AbstractTomcatManagerDeployer.redeploy(AbstractTomcatManagerDeployer.java:174)
... 16 more
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: http://1.203.190.5:8080/manager/text/list
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at org.codehaus.cargo.container.tomcat.internal.TomcatManager.invoke(TomcatManager.java:544) ... 19 more
This seems to be a Jenkins bug but I got around the problem by setting up following configuration in Tomcat:
Edit the file /webapps/manager/META-INF/context.xml:
Previous:
<Context antiResourceLocking="false" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>
Change this file to comment the Value:
<Context antiResourceLocking="false" privileged="true">
<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>
This resolved the issue.
I was facing the same issue while deploying artifact to tomcat with jenkins via container plugin,
Solution:- i have added manager-script and manager-gui in the roles of the user and provide the full access to webapps/* directory. It helps me to deploy the artifact successfully and able to view it with manager-app.
My OS : Debain 10
I solved this by editing file /opt/tomcat/conf/tomcat-users.xml and added manager-script role
<role rolename="admin-gui,manager-gui,manager-script,manager-jmx,manager-status,admin-gui"/>
<user username="admin" password="password" roles="admin-gui,manager-gui,manager-script"/>
You just need to add the jenkins IP address to the valve.
You need to update : /webapps/manager/META-INF/context.xml. Because it allows only localhost. If you know the specific hostname or IP, you can add it replacing XXX.XXX.XXX.XXX by the IP address.
It's realy important to keep the security in place.
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|XXX.XXX.XXX.XXX" />
</Context>
After that, you need to restart tomcat.
$CATALINA_HOME/bin/shutdown.sh && $CATALINA_HOME/bin/startup.sh
If nothing works simply create another user in tomcat-users.xml file with magnager-script role assigned and set this user credential to jenkins .
In tomcat-users.xml file
<tomcat-users>
<user username="deployuser" password="deployuser" roles="manager-script" />
<user username="admin" password="admin" roles="manager-gui" />
</tomcat-users>
In Tomcat 9, you don't need to add any manager-XXX roles. All you have to do is add the users and and assign the manager-gui (for GUI access) and manager-script (for access like Jenkins deployment ).
Also, make sure to edit the file /webapps/manager/META-INF/context.xml, either to comment out valve or define appropriate reg ex for allow attribute
Step 1:
We need to update : \webapps\manager\META-INF\context.xml. Bcs it allows only localhost. If you know the specific hostname or IP, you can add.
<Context antiResourceLocking="false" privileged="true" >
<!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>
Step 2:
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-gui, manager-script"/>
Deployment went successful.
I had the same issue. Changing the username to "admin" should do the work.
I am trying to access the manager app in tomcat7. However it doesnot even ask for credentials and shows 403 access denied directly. I have already set my conf/tomcat-users.xml file. Here is a snapshot :
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<role rolename="manager"/>
<role rolename="manager-gui"/>
<role rolename="admin"/>
<role rolename="admin-gui"/>
<role rolename="manger-script"/>
<user password="user1" roles="admin-gui" username="user1"/>
<user password="user1" roles="manager-gui" username="user1"/>
<user password="tomcat" roles="tomcat" username="tomcat"/>
<user password="user1" roles="manager" username="user1"/>
<user password="tomcat" roles="tomcat,role1" username="both"/>
<user password="tomcat" roles="role1" username="role1"/>
<user password="user1" roles="manager-script,admin,tomcat" username="user1"/>
</tomcat-users>
It was working fine for me a few days ago, though! Also, this is not a duplicate of this link or any other as I am not even getting a prompt for credentials.
I am added user and roles as follows on my linux(fedora 17) machine with tomcat 7, but still i am getting 403 access denied error. How to resolve this?
<role rolename="tomcat"/>
<role rolename="manager"/>
<role rolename="admin"/>
<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="tomcat" password="tomcat" roles="admin_gui,manager_gui"/>
<user username="admin" password="admin" roles="admin,manager,admin_gui,manager_gui"/>
<user username="hextek" password="123456" roles="admin,admin_gui,manager,manager_gui"/>
Check role names that you use in use definition. They are different from standard, and those you define.
Should be manager-gui
Note that for Tomcat 6.0.30 onwards, the roles required to use the
manager application were changed from the single manager role to add
the following four roles. (The manager role is still available but
should not be used as it avoids the CSRF protection). You will need to
assign the role(s) required for the functionality you wish to access.
manager-gui - allows access to the HTML GUI and the status pages
manager-script - allows access to the text interface and the status pages
manager-jmx - allows access to the JMX proxy and the status pages
manager-status - allows access to the status pages only
I had same problem with manager access denied and couldn't enter into manager GUI but after adding these lines to server.xml in conf folder
LINE 103..
add after
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.MemoryRealm" />
and tomcat-users.xml file
<tomcat-users>
<role rolename="manager-gui"/>
<user name="manager" password="password" roles="manager-gui" />
</tomcat-users>`
.... now good to go..
I got the same problem as Raman, I add "admin-gui" role and able to get host-manager pages.
Here's the ref: http://www.gayward-concepts.com/cannot-access-host-manager-in-tomcat7/
Add following to the "tomcat-users.xml" under "tomcat-users" tag. (Better to comment existings in between "tomcat-users" tag)
<role rolename="manager-gui"/>
<role rolename="admin-gui"/>
<user username="admin" password="admin" roles="manager-gui,admin-gui"/>
Save and restart tomcat!!
If you are still receiving 403 despite having configured tomcat-users.xml properly, do take a look at the content.xml within manager.
Example,
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>
Notice it requires you to use 127.0.0.1 or [::1], so modify this according to your security requirements.
It often happens when you modify the config file in your Tomcat directory installation, but if you are using Tomcat with NetBeans for example, the conf file to be modiefied is not that one:
For Window User go to:
C:\Users\YOURACCOUNTNAME.netbeans\7.1.2\apache-tomcat-7.0.22.0_base\conf
To use the web administration gui you have to add the gui role :
<tomcat-users>
<role rolename="manager-script"/>
<role rolename="manager-gui"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user username="tomcat" password="tomcat" roles="manager-gui,manager-status"/>
</tomcat-users>
I am trying to log in to the Manager App in Tomcat 7.0.22 for Mac OS X 10.7. Here is the error I am getting: http://f.cl.ly/items/421q1K3f1i0X1H1M181v/so.tiff
401 Unauthorized
You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp.
For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
I have added this in my tomcat-users.xml, still its not taking the same username/password.
<tomcat-users>
<role rolename="manager-gui"/>
<user name="tomcat" password="s3cret" roles="standard,manager-gui"/>
</tomcat-users>
OK, I had this error too. Couldn't find the bug, couldn't find the bug, couldn't find the bug. My "tomcat-users" block looked just like this.
<tomcat-users>
<role rolename="manager-gui"/>
<user name="tomcat" password="s3cret" roles="standard,manager-gui"/>
</tomcat-users>
FINALLY FOUND THE BUG. I kept editing the XML inside the XML comment block:
<!--
<tomcat-users>
<role rolename="manager-gui"/>
<user name="tomcat" password="s3cret" roles="standard,manager-gui"/>
</tomcat-users>
-->
DOH!
So: don't forget to remove the "<!--" and "-->".
Sorry, I have to ask the obvious: Did you restart Tomcat?
If that doesn't work, try adding "admin-gui" to your roles:
<user name="tomcat" password="s3cret" roles="admin-gui,standard,manager-gui"/>
Check your browser.
I was running tomcat locally on Windows, and trying to log in using Chrome. None of the suggestions above seemed to work. Finally on a whim, I tried Firefox and got the login prompt! I restarted Chrome and tried it again, and still nothing. It appears our network policy screws with Chrome - probably blocking the popup login dialog.
I also encountered this problem. The content of my tomcat-users.xml was correct, but the file was not readable by Tomcat. I changed the file's group to tomcat7, restarted Tomcat, and voilĂ !
Here's the content of my tomcat-users.xml:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<user username="admin" password="admin" roles="manager-gui, admin-gui" />
</tomcat-users>
To add some clarity, here are the roles you need to add to your conf/tomcat-users.xml as of Tomcat 7.x. If you want to keep the comments you can, but this is all you need (to log in with admin/admin) in the file:
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="admin" password="admin" roles="manager-gui, manager-script, manager-jmx, manager-status, admin-gui, admin-script"/>
</tomcat-users>
Its unlikely that anybody made the same mistake I did, but incase you have a couple versions of tomcat (or have fudged the installation and have files you need to cleanup) make sure you are in the correct folder.
I was looking at the config file in C:\tomcat7\ but the actual Tomcat that was running was in C:\Program Files\Apache Software Foundation\Tomcat 7.0\
Check the exact lines in server.xml
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
Navdeep
I had same error then I changed password in users.xml. It solved. If you use some special chars like & or #. It doesn't work. Remove it.
If you are at Tomcat 8, you maybe missing the following. After updating the Realms and tomcat-users.xml, you also need to edit the apps' context.xml.
By default, newer versions of Tomcat restrict access to the Manager and Host Manager apps to connections coming from the server itself. Since we are installing on a remote machine, you will probably want to remove or alter this restriction. To change the IP address restrictions on these, open the appropriate context.xml files.
For Manager app:
/webapps/manager/META-INF/context.xml
For Host-Manager app:
/opt/tomcat/webapps/host-manager/META-INF/context.xml
Comment out the following section for Valve as follows-
<Context antiResourceLocking="false" privileged="true" >
<!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->
</Context>
You should be allset after this.
Changing the port from 8080 to 8088 in server.xml worked for me.Refer the code below
<Connector port="8088" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
I was getting the exact the same error and it only started working after I changed the connector port from 8080 to 8081.
Also make sure that you have set TOMCAT_HOME as well as JAVA_HOME environment variables correctly.
In windows I had a CATALINA_HOME environment variable defined for another tomcat installation so that was stating even though I was using the startup script in the new installation folder. So just deleting CATALINA_HOME solved the problem for me.
In my case, I had multiple <Engine><Host>...</Host></Engine> sections in my context.xml and I had to copy and paste the <Realm className="org.apache.catalina.realm.LockOutRealm">...</Realm> into each <Engine>...</Engine> section because I had the manager app deployed in each one of these hosts that were part of a separate Engine.
The answer from #swapnil chaudhari about the IP address restriction in the app's META-INF/context.xml is also helpful, however I found it more beneficial to override the Context in my server's server.xml.
In the end, I have something like this for each one of my Engines:
<Engine name="CatalinaMyUniqueEngine"
defaultHost="MyUniqueHost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="MyUniqueHost"
appBase="/opt/tomcat/webapps/MyUniqueHost"
unpackWARs="true" autoDeploy="true">
<Context path="/manager" privileged="true" antiResourceLocking="false"
docBase="manager">
<!-- Wider allowance than the default.
Or you can remove to allow all IPs, which probably isn't
a good idea. -->
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1|10\.244\.\d+.\d+" />
</Host>
</Engine>
docBase is relative to appBase. In /opt/tomcat/webapps/MyUniqueHost, I have a symbolic link to the manager application installed by my system's package manager (Debian-based), which placed it at /usr/share/tomcat8-admin/manager. These symbolic links allow me to use the manager app in all my Hosts without copying the manager application.
Just to add some information on #David's answer:
If you are like me and SFTP to the host with any user under a group other than tomcat (for e.g. root) and edit tomcat_users.xml with some generic editor like gedit or VS Code, the group of the file will be changed to the user you used (probably because a new file was created). Like below:
drwxr-x--- 2 root tomcat 4096 Jun 21 11:41 ./
drwxr-xr-x 9 root tomcat 4096 May 24 14:12 ../
-rw-r----- 1 root tomcat 13531 Apr 28 03:34 catalina.policy
-rw-r----- 1 root tomcat 7202 Apr 28 03:34 catalina.properties
-rw-r----- 1 root tomcat 1400 Apr 28 03:34 context.xml
-rw-r----- 1 root tomcat 1149 Apr 28 03:34 jaspic-providers.xml
-rw-r----- 1 root tomcat 2313 Apr 28 03:34 jaspic-providers.xsd
-rw-r----- 1 root tomcat 3850 Apr 28 03:34 logging.properties
-rw-r----- 1 root tomcat 7511 Apr 28 03:34 server.xml
-rw-r----- 1 root root 2342 Jun 21 11:41 tomcat-users.xml
-rw-r----- 1 root tomcat 2633 Apr 28 03:34 tomcat-users.xsd
-rw-r----- 1 root tomcat 170202 Apr 28 03:34 web.xml
Maybe my initial setup of tomcat was a bit casual... But with the above behavior, tomcat will loose access to the edited file. The result would be 401 Unauthorized.
There are a number of options to get around the problem. I'm not sure if any of them is the best practice though.
Changing permission after the edit (yes sure...).
nano and WinSCP do not seem to suffer from the issue.
SETGID: chmod g+s /conf_folder (not tested).
Follow this answer
Maybe an editor that is permission-aware?
The below should work for a "vanilla" installation (or zip/tar archive) - replace your tomcat-users.xml with (similar to) this:
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="abc" password="xyz" roles="manager-gui, manager-script, manager-jmx, manager-status, admin-gui, admin-script"/>
</tomcat-users>
I ran into similar issue and still not able to login using Google Chrome (Version 73.0.3683.103) as on date 05/14/2019 10:30am CST despite reinstalling/configuring Google Chrome multiple times.
I would suggest, try using different browser such as Firefox/IE etc if you are running into this issue even after fiddling a lot with xmls.
So if nothing else works for you check that here
I had messed in my server.xml with the following line
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="jdbc/myapp"/>
That here should always be resourceName="UserDatabase"
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
I mistakenly thought it had to do with my applilcation database and have configured it. This here is the tomcat user database not the database that you have to your application.
Another thing to notice on Mac if you install Tomcat via homebrew is that the tomcat-users.xml file exists in 2 different location.
/usr/local/opt/tomcat#9/libexec/conf/tomcat-users.xml
/usr/local/Cellar/tomcat#9/9.0.65/.bottle/etc/tomcat#9
You need to add the role/user in the tomcat-users.xml within /usr/local/opt directory.
I tried to add username as tomcat in tomcat-users.xml which was already a role and it was not working.
Then I given username as admin for and It worked fine..:)
Shutdown tomcat
paste below comments complete content into tomcat-users.xml and save
start tomcat
Now Build it should work, i did for windows OS with Jenkins and git deployment via tomcat7
<?xml version="1.0" encoding="UTF-8"?>
-<tomcat-users> <role rolename="manager-gui"/> <role rolename="manager-script"/> <role rolename="manager-jmx"/> <role rolename="manager-status"/> <role rolename="admin-gui"/> <role rolename="admin-script"/> <user roles="manager-gui, manager-script, manager-jmx, manager-status, admin-gui, admin-script" password="admin" username="admin"/> </tomcat-users>
I was using a particular complex password with lots of odd characters. Just return that back to regular password and worked fine.