122

I have installed tomcat 9 on a remote sever and after starting it, it was brought up fine, I can access http://host_name:port_num and see tomcat hello page. But when I try to open manager app to see my deployed apps, I get 403 access denied, I already add roles in tomcat user xml as following:

<role rolename="manager"/>
<role rolename="manager-gui"/>
<role rolename="admin"/>
<user username="user" password="password" roles="admin,manager,manager-gui"/>

The error messages I saw is:

By default the Host Manager is only accessible from a browser running on the same machine as Tomcat. If you wish to modify this restriction, you'll need to edit the Host Manager's context.xml file.

How should I change context.xml file and get access to manager app?

feichangh
  • 1,293
  • 3
  • 10
  • 8

6 Answers6

185

For Tomcat v8.5.4 and above, the file <tomcat>/webapps/manager/META-INF/context.xml has been adjusted:

<Context antiResourceLocking="false" privileged="true" >
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>

Change this file to comment the Valve:

<Context antiResourceLocking="false" privileged="true" >
    <!--
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
    -->
</Context>

After that, refresh your browser (not need to restart Tomcat), you can see the manager page.

jqgsninimo
  • 6,562
  • 1
  • 36
  • 30
  • 1
    Works in 8.5.0 but restart was required. Thanks! – JRichardsz Feb 14 '17 at 20:46
  • 3
    I had to wait about 10-15 seconds, but no restart needed in 8.5.11. Thanks! – Karl Henselin Mar 09 '17 at 15:54
  • 2
    Worked in 8.5.9 without restart. However, took about 15 seconds to apply on Windows 7 machine. Thanks! – cbmeeks May 10 '17 at 13:00
  • 2
    403 Access Denied – 3xCh1_23 Jul 06 '17 at 19:51
  • Works with Tomcat/9.0.0.M22 but requires Restart. Thanks! – sherpaurgen Aug 02 '17 at 19:11
  • Worked out for me too on tomcat 9 without restart! At first I did a mistake by commenting the tag too next to tag so don't do that. – old-monk Aug 09 '17 at 20:49
  • On 8.5.20 this is not even present. had to add the antiResourceLocking="false" privileged="true" part and gave me a blank page when accessing the root. – javydreamercsw Aug 11 '17 at 20:40
  • On 8.5.23, the files are not present. but added them as manager.xml and host-manager.xml pointing to the respective apps and kept the filter same as in the post marked as answer [ Matt Innes's ] and it worked without restart [ for both manager app and host-manager app] – Ashishkel Oct 19 '17 at 06:59
  • Thank you SO much ! It Works Truely. – Meysam Fathee Panah Dec 05 '17 at 01:37
  • Worked in 9.0.6 without restart – Sudeepta Mar 20 '18 at 08:55
  • 2
    For Tomcat beginners, a significant fact bearing on this question is that **Tomcat consumes multiple `context.xml` files.** Instructions in Tomcat's default error page to *edit the Manager's context.xml file* could be more clearly stated as *edit the context.xml file in the directory for the Manager application.* – CODE-REaD Oct 27 '18 at 17:20
  • Didn't work for me (neither with `` nor with ``-tag commented). Even after restarting I am still getting "403 access denied" when trying to accessing the mgmt.-page from my workstation :-( Remote access to the welcome page and local access to mgmt.-page is working fine, so it's not a FW issue. That's for an Apache Tomcat/9.0.36 on OpenSUSE. – mmo Jul 05 '21 at 13:28
  • This negates IP whitelisting totally, better to add specific IP addresses, or a network instead. – GHz Dec 13 '21 at 19:52
  • I could not get the accepted answer to work. In fact, of all the answers, this was the only one I could get working in Tomcat 9.0.64. Fortunately, I need it only for testing on hosts behind a firewall so any disadvantage is not relevant to me. – Russ Bateman Feb 03 '23 at 19:33
158

Each deployed webapp has a context.xml file that lives in

$CATALINA_BASE/conf/[enginename]/[hostname]

(conf/Catalina/localhost by default)

and has the same name as the webapp (manager.xml in this case). If no file is present, default values are used.

So, you need to create a file conf/Catalina/localhost/manager.xml and specify the rule you want to allow remote access. For example, the following content of manager.xml will allow access from all machines:

<Context privileged="true" antiResourceLocking="false" 
         docBase="${catalina.home}/webapps/manager">
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^YOUR.IP.ADDRESS.HERE$" />
</Context>

Note that the allow attribute of the Valve element is a regular expression that matches the IP address of the connecting host. So substitute your IP address for YOUR.IP.ADDRESS.HERE (or some other useful expression).

Other Valve classes cater for other rules (e.g. RemoteHostValve for matching host names). Earlier versions of Tomcat use a valve class org.apache.catalina.valves.RemoteIpValve for IP address matching.

Once the changes above have been made, you should be presented with an authentication dialog when accessing the manager URL. If you enter the details you have supplied in tomcat-users.xml you should have access to the Manager.

Matt Innes
  • 2,171
  • 1
  • 14
  • 12
  • what should be done to load these configuration changes without shutting down and starting up tomcat? – Kuldeep Yadav Mar 11 '17 at 02:13
  • 403 Access Denied – 3xCh1_23 Jul 06 '17 at 19:50
  • 3
    In tomcat 8, you do not need to do anything, these configuration changes come into effect immediately. – Ayushya Jul 17 '17 at 20:09
  • 3
    Finally worked for me after few tries. I was trying to make changes in the context.xml file while the changes were to be made in the path "conf/Catalina/localhost" manager.xml file. If it doesn't exist just need to create one. – Umar Maniar Jan 13 '18 at 09:54
  • For tomcat 8.5.37, I also had to include: – Md. Apr 22 '19 at 19:52
  • I don't like this answer as it just opens up access to everybody, while the question asks for *a* "different host" - thus the configuration shouldn't just remove all access control without necessity. Check Md. Sajedul Karim's answer, especially where `YOUR.IP.ADDRESS.HERE` is mentioned – Olaf Kock Jan 13 '20 at 16:26
  • @OlafKock fair point - I've updated the answer to reflect your concerns – Matt Innes Jan 19 '21 at 13:10
  • Worked like a charm also for Tomcat 9 and saved my evening! Thanks! – mmo Mar 10 '21 at 20:58
40

To access the tomcat manager from the different machines you have to follow the below steps:

1. Update conf/tomcat-users.xml file with user and some roles:

<role rolename="manager-gui"/>
 <role rolename="manager-script"/>
 <role rolename="manager-jmx"/>
 <role rolename="manager-status"/>
 <user username="admin" password="admin" roles="manager-gui,manager-script,manager-jmx,manager-status"/>

Here admin user is assigning roles="manager-gui,manager-script,manager-jmx,manager-status".

Here tomcat user and password is: admin

2. Update webapps/manager/META-INF/context.xml file (Allowing IP address):

Default configuration:

<Context antiResourceLocking="false" privileged="true" >
  
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
  
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>

Here in Valve it is allowing only local machine IP start with 127.\d+.\d+.\d+ .

2.a : Allow specefic IP:

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|YOUR.IP.ADDRESS.HERE" />

Here you just replace |YOUR.IP.ADDRESS.HERE with your IP address

2.b : Allow all IP:

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow=".*" />

Here using allow=".*" you are allowing all IP.

Thanks :)

Md. Sajedul Karim
  • 6,749
  • 3
  • 61
  • 87
  • 2
    instead of allowing access to a single ip, you can add access to all ip from a network, using the same syntax as de default file: this allows access from all hosts in the local network 192.168.250.0/24 – Thomas LIMIN Dec 05 '19 at 13:54
6

The following two configurations is working for me.

  1. tomcat-users.xml details

      <role rolename="manager-gui"/>
      <role rolename="manager-script"/>
      <role rolename="manager-jmx"/>
      <role rolename="manager-status"/>
      <role rolename="admin-gui"/>
      <role rolename="admin-script"/>
      <role rolename="tomcat"/>
    
      <user  username="tomcat"  password="tomcat" roles="tomcat"/>
    
      <user  username="admin"  password="admin" roles="admin-gui"/>
    
      <user  username="adminscript"  password="adminscrip" roles="admin-script"/>
    
      <user  username="tomcat"  password="s3cret" roles="manager-gui"/>
      <user  username="status"  password="status" roles="manager-status"/>
    
      <user  username="both"    password="both"   roles="manager-gui,manager-status"/>
    
      <user  username="script"  password="script" roles="manager-script"/>
      <user  username="jmx"     password="jmx"    roles="manager-jmx"/>

  1. context.xml of /webapps/manager/META-INF/context.xml and /webapps/host-manager/META-INF/context.xml

<Context antiResourceLocking="false" privileged="true" >
    
      <Valve className="org.apache.catalina.valves.RemoteAddrValve"
             allow=".*" />
      <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
Federico Navarrete
  • 3,069
  • 5
  • 41
  • 76
Rajeev kumar
  • 71
  • 1
  • 3
1

Here are the sed commands I used on AWS Linux 2 to get this working via AWS EC2 user data script:

Note: This allows access from all IPs ".*" , If you don't want that, change ".*" in the last to sed command to whatever IP you want.

Change the following to what you want:

YOUR USER NAME
YOUR PASSWORD

Also, update the path to your tomcat install by replacing /abcd with wherever your tomcat is installed:

/abcd/tomcat/conf/tomcat-users.xml
/abcd/tomcat/webapps/manager/META-INF/context.xml
/abcd/tomcat/webapps/host-manager/META-INF/context.xml

Commands:

# Add a user to Tomcat manager
sed -i 's/<\/tomcat-users>//g' /abcd/tomcat/conf/tomcat-users.xml
echo '<user name="YOUR USER NAME" password="YOUR PASSWORD" roles="manager-gui,admin-gui" />' | tee -a  /abcd/tomcat/conf/tomcat-users.xml
echo '</tomcat-users>' | tee -a  /abcd/tomcat/conf/tomcat-users.xml

# Set the Tomcat Manager apps to allow connections from everywhere
# Note: the -r forces sed to respect full regex
sed -i -r 's/127\\\.\\d\+\\\.\\d\+\\\.\\d\+\|::1\|0:0:0:0:0:0:0:1/\.\*/g' /abcd/tomcat/webapps/manager/META-INF/context.xml
sed -i -r 's/127\\\.\\d\+\\\.\\d\+\\\.\\d\+\|::1\|0:0:0:0:0:0:0:1/\.\*/g' /abcd/tomcat/webapps/host-manager/META-INF/context.xml
Michael Losa
  • 11
  • 2
0

As I had to learn the hard way the default \etc\tomcat\server.xml file (for v9.0.36 on OpenSUSE v15.2 at least) already contained <Context ...> and <Valve ...> definitions for manager and host-manager apps! These obviously overrule whatever context.xml or manager.xml files you may have defined elsewhere. By default they restrict access to localhost which is exactly what I was seeing. ||-( So, one needs to adjust the settings in server.xml instead OR remove/comment them there and then one can add the files mentioned in the other responses as one used to.

mmo
  • 3,897
  • 11
  • 42
  • 63
  • You might want to mention which Linux distribution you are using: Debian's package e.g. **does** not define Tomcat Manager in `/etc/tomcat/server.xml` but in `/etc/tomcat/Catalina/localhost/manager.xml` as in other answers. – Piotr P. Karwasz Jul 05 '21 at 17:47
  • I added it to my response. Thanks for pointing that out! – mmo Jul 05 '21 at 20:42