18

I am trying to log in tomcat manager app but i cannot successfully create a login user in the tomcat-users.xml. The initial content was this:

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
--><tomcat-users>
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary.
-->
<!--
  NOTE:  The sample user and role entries below are wrapped in a comment
  and thus are ignored when reading this file. Do not forget to remove
  <!.. ..> that surrounds them.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
-->
</tomcat-users>

Reading on the official page i modified the file like this but with no result.

<?xml version="1.0" encoding="utf-8"?>
<tomcat-users>
  <role rolename="manager-gui"/>
  <role rolename="manager-status"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <user username="admin" password="admin" roles="manager-gui"/>
</tomcat-users>
Jack Willson
  • 2,094
  • 6
  • 21
  • 23

5 Answers5

31

It seems this is the correct configuration. Care not to separate roles with spaces !

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>  
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <role rolename="manager-status"/>
  <role rolename="admin-gui"/>
  <role rolename="admin-script"/>
  <user username="admin" password="admin" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
</tomcat-users>
Yves Martin
  • 10,217
  • 2
  • 38
  • 77
Jack Willson
  • 2,094
  • 6
  • 21
  • 23
  • 1
    As pointed out here (http://stackoverflow.com/questions/18746195/tomcat-7-manager-cant-login) there MUST NOT be ANY SPACES between roles so this should be like this: – Nenad Bulatović Jun 09 '14 at 10:57
9

Accepted answer is wrong in one detail but VERY imporant one - there shouldn't be ANY spaces between roles for admin, as this list should be comma separated (as pointed out here Tomcat 7 Manager can't login). I just had same problem and resolved it same way.

So, instead of this (as suggested in some answers:

<user username="admin" password="admin" roles="manager-gui, manager-script, manager-jmx, manager-status, admin-gui, admin-script"/>

it MUST be like this:

  <user username="admin" password="admin" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>

So altogether it should look like this:

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <role rolename="manager-status"/>
  <role rolename="admin-gui"/>
  <role rolename="admin-script"/>
  <user username="admin" password="admin" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
</tomcat-users>
Community
  • 1
  • 1
Nenad Bulatović
  • 7,238
  • 14
  • 83
  • 113
6

You shouldn't combine the manager-gui roles with the manager-script or -jmx roles, because of compromising the Cross Site Scripting protection. The last manager roles can't be protected like the gui role.

Tilman
  • 79
  • 2
  • 5
  • Indeed: https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html states: It is recommended to never grant the manager-script or manager-jmx roles to users that have the manager-gui role. – kghbln Aug 20 '18 at 16:46
3

Have you configured your database realm in the server.xml on the conf folder? The default server.xml has the UserDatabase resource already setup so if you have changed that then no matter how you setup the tomcat-user xml, you would not be able to authenticate.

In the conf/server.xml file... In the GlobalNamingResource tag define a Resource to use MemoryUserDatabaseFactory and within your Engine define a Realm to use UserDatabaseRealm. Just open the original server.xml (I'm using tomcat 7.0.62) and search for these names and you'll see the configurations. Based on your app and needs you may need to make additional changes.

Denise
  • 31
  • 1
  • this was the problem for me, no changes to tomcat-users will make a difference like Denise says if the sserver xml has been modified and is missing this - if your having the same authentication problem after trying the tomcat-users.xml changes suggested try this! – RMSTOKES Apr 12 '16 at 09:41
0

You have add manager role user to access this feature. For this edit tomcat-users.xml file at apache-tomcat-7.0.56-windows-x64\apache-tomcat-7.0.56\conf if u are on windows. Search for <role rolename= > line. This will probrably commented. Add this code :-

<role rolename="manager-gui"/>
<user username="your-user-name" password="your-password" roles="manager-gui,manager-script"/>
viper
  • 714
  • 1
  • 11
  • 26
  • From https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html "It is recommended to never grant the manager-script or manager-jmx roles to users that have the manager-gui role." – gliptak Mar 27 '17 at 14:05