67

I have set up tomcat 8 according to this, and I have the following tomcat-users.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0"> 
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>

  <user username="notadmin" password="not_real_pass" roles="manager-gui"/>
  <user username="cargo" password="not_real_pass" roles="manager-script"/>
<tomcat-users/>

When I try to access the Manager App, I get rejected with 403 without any prompt for username and password.

What did I miss in the config?

Edit1: Added full xml file.

Hodossy Szabolcs
  • 1,598
  • 3
  • 18
  • 34

17 Answers17

177

This may be work.

Find the CATALINA_HOME/webapps/manager/META-INF/context.xml file and add the comment markers around the Valve.

<Context antiResourceLocking="false" privileged="true" >

<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->

</Context>

You can find more details at this page.

Sridhar Sarnobat
  • 25,183
  • 12
  • 93
  • 106
fade
  • 1,771
  • 2
  • 8
  • 8
  • This was the issue for me. I was editing the global context.xml (which I guess got overriden by the more specific context.xml inside manager app?). – Salil Junior Jun 22 '17 at 17:55
  • 13
    This configuration has it's security purposes, it allows to access the manager app only from localhost for example. You can 'resolve the issue' by ssh tunneling and forwarding the port the tomcat is running on (8080) by `ssh user@tomcat-machine -L 8080:localhost:8080` and then accessing the manager app not on `http://tomcat-machine:8080` but `http://localhost:8080` – JaKu Jul 31 '17 at 13:59
  • If this STILL isn't working for you, make the same change in `manager.xml` (your `catalina.out` file will tell you where it is, e.g. `20-Aug-2019 12:06:42.236 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDescriptor Deploying configuration descriptor /Users/me/apache-tomcat-8/conf/Catalina/localhost/manager.xml` – Sridhar Sarnobat Aug 20 '19 at 19:08
23

The solution that worked for me is edit context.xml files in both $CATALINA_HOME/webapps/manager/META-INF and $CATALINA_HOME/webapps/host-manager/META-INF where my ip is 123.123.123.123.

<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|123.123.123.123" />
</Context>

I installed Tomcat 8.5 on Ubuntu and edited $CATALINA_HOME/conf/tomcat-users.xml:

<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="myuser" password="mypass" roles="admin-gui,manager-gui"/>

However, I still couldn't access both Tomcat Web Application Manager (localhost:8080/manager/html) and Tomcat Virtual Host Manager (localhost:8080/host-manager/html) until I edited context.xml files.

kimbaudi
  • 13,655
  • 9
  • 62
  • 74
18

Useful link here: Access Tomcat Manager App from different host

From Tomcat version 8 onward's, manager/html url won't be accessible to anyone except localhost.

In order to access /manager/html url, you need to do below change in context.xml of manager app. 1. Go to /apache-tomcat-8.5.23/webapps/manager/META-INF location, then edit context.xml

<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="^.*$" />
 ......
</Context>
  1. Restart the server.
Vish
  • 346
  • 3
  • 11
  • 3
    You are allowing any ip address with the regular expression `^.*$`. Are you sure you want any ip address to access Tomcat manager? – kimbaudi Apr 11 '19 at 16:58
17

Correct answer can be found here

Looks like this issue can be reproduced while folowing mentioned tutorial on unix machines. Also noticed that author uses TC 8.0.33
Win (and OSX) do not have such issue, at least on my env:

Server version:        Apache Tomcat/8.5.4
Server built:          Jul 6 2016 08:43:30 UTC
Server number:         8.5.4.0
OS Name:               Windows 8.1
OS Version:            6.3
Architecture:          amd64
Java Home:             C:\TOOLS\jdk1.8.0_101\jre
JVM Version:           1.8.0_101-b13
JVM Vendor:            Oracle Corporation
CATALINA_BASE:         C:\TOOLS\tomcat\apache-tomcat-8.5.4
CATALINA_HOME:         C:\TOOLS\tomcat\apache-tomcat-8.5.4

After tomcat-users.xml is modified by adding role and user Tomcat Web Application Manager can be accessed on Tomcat/8.5.4.

Gerardas
  • 338
  • 5
  • 9
15

I have to modify the following files

$CATALINA_BASE/conf/Catalina/localhost/manager.xml and add following line

  <Context privileged="true" antiResourceLocking="false" 
     docBase="${catalina.home}/webapps/manager">
        <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$" />
  </Context>

This will allow tomcat to be accessed from any machine, if you want to grant access to specific IP then use the below value instead of allow="^.*$"

    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192\.168\.11\.234" />
user2720864
  • 8,015
  • 5
  • 48
  • 60
4

fade's answer worked for me. I moved from 8.0.30 to 8.5.5 and the difference was the valve in <8.0.30>/manager/META-INF/context.xml was already commented out from the tar file but was uncommented in 8.5.5 tar.

I failed to read this important message in the 403 response:

By default the Manager is only accessible from a browser running on the same machine as Tomcat. If you wish to modify this restriction, you'll need to edit the Manager's context.xml file.

And failed to read this too:

Since r1734267 a RemoteAddrValve.is configured by default in Manager and HostManager web applications. This feature is present in 9.0.0.M4 and 8.5.0 onwards.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59672

Jim
  • 463
  • 4
  • 7
4

  1. Go and Check if a user is created or not if no please create a user by opening a file in /apache-tomcat-9.0.20/tomcat-users.xml add a line into it

    <user username="tomcat" password="tomcat" roles="admin-gui,manager-gui,manager-script" />

  2. Goto /apache-tomcat-9.0.20/webapps/manager/META-INF/ open context.xml comment everything in context tag example:

<Context antiResourceLocking="false" privileged="true" >
     <!--Valve className="org.apache.catalina.valves.RemoteAddrValve"
            allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /-->
   </Context>
Pratik Gaurav
  • 661
  • 7
  • 8
3

copy the below content to file tomcat-users.xml

<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary. It is
  strongly recommended that you do NOT use one of the users in the commented out
  section below since they are intended for use with the examples web
  application.
-->
<!--
  NOTE:  The sample user and role entries below are intended for use with the
  examples web application. They are wrapped in a comment and thus are ignored
  when reading this file. If you wish to configure these users for use with the
  examples web application, do not forget to remove the <!.. ..> that surrounds
  them. You will also need to set the passwords to something appropriate.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
<role rolename="manager-gui"/>
<role rolename="manager-script"/>

<user username="notadmin" password="not_real_pass" roles="manager-gui"/>
<user username="cargo" password="not_real_pass" roles="manager-script"/>


</tomcat-users>

I have tested, it just works!

enter image description here

Vy Do
  • 46,709
  • 59
  • 215
  • 313
3

If non of above works for you, make sure tomcat has access to manager folder under webapps (chown ...). The message is the exact same message, and It took me 2 hours to figure out the problem. :-)

just for someone else who came here for the same issue as me.

alizelzele
  • 892
  • 2
  • 19
  • 34
3
<role rolename="tomcat"/>
  <role rolename="manager-gui"/>
  <role rolename="admin-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <user username="admin" password="admin" roles="tomcat,manager-gui,admin-gui,manager-script,manager-jmx"/>


Close all the session, once closed, ensure open the URL in incognito mode login again and it should start working
Jainender Chauhan
  • 749
  • 1
  • 4
  • 5
2

I foolishly uncommented the default config, which has passwords like "". Tomcat fails to parse this file (becayse of the "<"), and then whatever other config you add won't work-

chrismarx
  • 11,488
  • 9
  • 84
  • 97
  • 2
    After all these other tries, this was my problem. I just uncommented the other default users, not realizing the "<" mark in the "" default password would mess up my new user. This is REALLY bad on Apache's part – Fixee Sep 17 '17 at 17:27
2

In my case it was the security constraints defined in web.xml. Make sure they have the same roles you use in your tomcat-users.xml file.

For example, this is one of the out-of-the-box tags and will work with the standard tomcat-users.xml.

 <security-constraint>
    <web-resource-collection>
      <web-resource-name>HTML Manager interface (for humans)</web-resource-name>
      <url-pattern>/html/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>manager-gui</role-name>
    </auth-constraint>
  </security-constraint>

In my case an admin had used a different role-name which prevented me from accessing the manager.

Mustafa
  • 5,624
  • 3
  • 24
  • 40
0

I follwed the same tutorial but after some months I strangely got the error "403 Access Denied" while tryed to use Manager App. In this case I was using the ipaddress:8080 in the address bar and Tomcat Manager App didin't prompting for user/password. In case of localhost:8080 the error was "401", the dialogbox asking for username and password was displayed but the user not recognized.

I tried all the previous suggestions / solutions without lucky. The only way I found is been to repeat again the entire tutorial overwriting also the files. When finished, I found again the old deployed project into the webapps directory. Now Apache Tomcat/8.5.16 Manager App are working again. I do not know what happened I didn't understand also because I'm a newbie in Tomcat user

Luigi D'Alessio
  • 553
  • 1
  • 4
  • 6
0

I had to add both manager-gui and manager-script roles for it to work, in version 9.

After getting the access to MangerApp, while trying to upload .war file, I got the exception

org.apache.tomcat.util.http.fileupload.FileUploadBase$IOFileUploadException

which I was able to solve using the answer of this post

To get access for Host Manager, check this post

sss
  • 598
  • 6
  • 24
0

The correct answer is as @JaKu pointed out. Tomcat is confining the access to localhost to make it secure. This is as it should be. Port forwarding to tomcat is the correct thing to do, preferably under something secure like SSH.

Software Prophets
  • 2,838
  • 3
  • 21
  • 21
0

I know this question is for Tomcat 8 Manger. But I had an issue with Tomcat 10 the solution that worked for me is to uncomment the username admin and robot in the {tomcat-install-dir}/conf/tomcat-users.xml

 <user username="admin" password="password" roles="manager-gui"/>
 <user username="robot" password="admin" roles="manager-script"/>

Keep other lines commented

Adelin
  • 18,144
  • 26
  • 115
  • 175
-1

I was having same problem while installing tomcat in docker. I have solved by adding "^.*$" instead of "127.\d+.\d+.\d+|::1|0:0:0:0:0:0:0:1|123.123.123.123"

Restart the tomcat.

Prasad MCN
  • 19
  • 3
  • 1
    I think your solution is bad in 2 ways: 1) You do not explain what `^.*$` does and just tell people to add it. 2) `^.*$` can be considered bad practice since you are basically allowing any ip address to access your tomcat server. Maybe you need to add `^.*$` since you are using Docker, but you should at least explain why. – kimbaudi Apr 11 '19 at 16:54