26

I successfully install Apache Tomcat 9 and I access at servername:8080.

I follow documentation in order to access the manager web app and :

  • open $CATALINA_HOME/conf/tomcat-user.xml
  • add <role rolename="manager-gui"/>
  • add <user username="tomcat" password="s3cret" roles="manager-gui"/>
  • $CATALINA_HOME/bin/catalina.sh stop
  • check servername:8080 is down
  • $CATALINA_HOME/bin/catalina.sh start
  • check servername:8080 is up
  • servername:8080/manager/html return HTTP Status 403 – Forbidden

I can't find what config I am missing and will be greateful for any kind of help or suggestion.

AlexMI
  • 824
  • 1
  • 15
  • 36

5 Answers5

30

I wanto to share the solution I found here not in the marked answer but in the fade's answer.

Commenting the Valve attribute in CATALINA_HOME/webapps/manager/META-INF/context.xml and restarting Tomcat solve the problem and I can now assess the web manager

Community
  • 1
  • 1
AlexMI
  • 824
  • 1
  • 15
  • 36
20

Please change the allow attribute value in the context.xml file, present in webapps/manager/META-INF folder.

Old configuration

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />

change to new Configuration

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="\d+\.\d+\.\d+\.\d+" />

This will allow access to manager remotely from all IP addresses for login. Further you won't get 403 access denied page

Venu Madhav Reddy
  • 215
  • 2
  • 5
8

Even i had the same problem , with Tomcat 9.0.20

I commented the Valve tag completely (/tomcat/webapps/manager/META-INF). So my context.xml looked like below 

<Context antiResourceLocking="false" privileged="true" >
  <!--
    Remove the comment markers from around the Valve below to limit access to
    the manager application to clients connecting from localhost
  -->
  <!--
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
  -->
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFil$
</Context>

Then in tomcat-users.xml (/tomcat/conf/)i did 

<role rolename="tomcat"/>
<role rolename="manager-gui"/>
<user username="user" password="user@123" roles="manager-gui"/>
<user username="guest" password="guest123" roles="tomcat"/>

Now i could login using user and user@123 credentials.

Ajinkya Karode
  • 157
  • 1
  • 12
2

Hello people of the world.

Warning, if you using latest version of main browsers it might not work since it may be disabled by company policies or support to http basic authentication might not be available. Not sure why but only internet explorer save the day, did not work on chrome or edge.

Internet explorer is dead! Long live Internet Explorer! Saved me with this issue.

Have a Nice day.

João
  • 2,296
  • 5
  • 20
  • 30
1

quick and dirty to access all links in tomcat 9

enter image description here

in tomcat-users.xml add:

<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<role rolename="manager-status"/>
<role rolename="manager-script"/>
<role rolename="manager-gui"/>

<user username="admin" password="admin" roles="admin-script,admin-gui,manager-script,manager-gui,manager-status" />

then restart with catalina stop catalina start

(for me on macOS w/ homebrew, file located in /usr/local/Cellar/tomcat/9.0.43/libexec/conf/tomcat-users.xml)

Ryu S.
  • 1,538
  • 2
  • 22
  • 41