Tomcat 8 403 Access Denied on manager app (set up with Docker)

Question

I have recently assumed duties over a site using Tomcat 8 and I am having a hard time getting a view of my manager app and site on the development server. I have set up PuTTy for ssh onto the server and I have configured port forwarding so that the base manager menu for Tomcat shows on localhost:8080 on my machine, indicating that the ssh/port forwarding appears to be working. I get the 403 error when I try to access any other element of the manager gui. I have reviewed multiple versions of this question from the past and I still think my issue is unique to them. (links here to those answers: 403 Access Denied on Tomcat 8 Manager App without prompting for user/password Can't access Tomcat 8 Manager App Tomcat 8.5 - 403 Access Denied)

When looking at the previous questions they reference changing a context.xml file to comment out a valve tag inside the context tag, but my context.xml file doesn't contain this valve tag:

    <?xml version="1.0" encoding="UTF-8"?>                                                                                                                                                                             
    <Context path="" reloadable="false">                                                                                                                                                                                 
    <ResourceLink global="jdbc/MyDS" name="jdbc/MyDS" type="javax.sql.DataSource" />                                                                                                                                   
    <ResourceLink global="jdbc/MyDS" name="jdbc/EPATestDS" type="javax.sql.DataSource" />                                                                                                                               
    <Parameter name="fileStore" value="/data/xxxx" override="false"/>                                                                                                              
    <Parameter name="logStore" value="/data/xxx" override="false"/>                                                                                                              
    <Parameter name="formSite" value="x" override="false"/>                                                                                                                                       
    <Parameter name="answerKeyStore" value="/data/xxxxx/EPA/key" override="false"/>                                                                                                           
    <Parameter name="debugMode" value="true" override="false"/>                                                                                                                                                        
    <Parameter name="hostname" value="https://pre-xxxxxx.com" override="false"/>                                                                                                                   
    <Parameter name="ssoHostname" value="https://pre-xxx.com" override="false"/>                                                                                                                             
    <Parameter name="ssoRealm" value="xxx" override="false"/>                                                                                                                                                         
                                                                                                 
    <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>                                                                                                                                    
    </Context>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  
    <!--                                                                                                                                                                                                               
    These 2 parameters are expected to exist but are set for all applications on the tomcat server                                                                                                                        
    <Parameter name="mailServer" value="xxxxxxx" override="false"/>                                                                                                                                               
    <Parameter name="xxxx" value="xxx" override="false"/>                                                                                                                              
    -->

(all xxx's above are to remove identifying information)

and it seems illogical to add a line to be commented. However this context file isn't located where it seems to be indicated for most other questions I've seen on this topic. My file is located at /CATALINA_HOME/webapps/ROOT##104/META-INF/context.xml whereas the solutions say to change it in /CATALINA_HOME/webapps/manager/META-INF/context.xml. When I ls --file-type on webapps it gives the manager filetype as a symbolic link to /usr/local/tomcat/webapps/manager which does not exist inside my /usr directory.

I believe the issue may be due to the way the site was configured/setup using docker, but I can't figure out the solution. The only places where /usr/local/tomcat/webapps/manager/META-INF/context.xml are located are inside of ./var/lib/docker/ directories, and there are several warnings related to not changing these files as they are managed by docker. I am unsure of where to go at this point, but I do have Dockerfiles located I just don't know which/what is needed for context here. I am unsure if I need to build new images, etc. But I can say that restarting tomcat by issuing a docker exec to the container and restarting the container itself didn't cause any changes. edit based on comment - You have the same var/lib/docker path problems if you search for manager.xml as suggested below

You can see a similar issue when looking to make changes to tomcat-users.xml. This file only appears in directories under ./var/lib/docker/ or one other location, ./home/<username>/repo/tomcat/mec/files/tomcat-users.xml. The file at this location does have a properly configured manager-gui role, but I am unsure if this is being communicated to the proper location.

Not being a seasoned veteran with docker I have limited scope on what the consequences would be of trying to make changes to images and build new containers, etc.

Overall I am just trying to get a view of my Java EE site currently on that development server and I may even be approaching this in the wrong manner. Any and all direction would be greatly appreciated; I am unfortunately taking this up after about 2 years of predecessor leaving and not maintaining.

There are [lot of places](http://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Defining_a_context) where the context or part of it may be defined in Tomcat. Look also for a file named `manager.xml`. — Piotr P. Karwasz, Feb 02 '21 at 14:44
Unfortunately this remains the same issue, `manager.xml` files only seem to be located inside those `var/lib/docker` paths. — SCunningPaul, Feb 02 '21 at 16:01
Check [this answer](https://stackoverflow.com/q/20813486/11748454) to explore the docker container filesystem. Look for the file `/usr/local/tomcat/conf/Catalina/localhost/manager.xml`. This context file overrides the one in the `webapps` folder. — Piotr P. Karwasz, Feb 02 '21 at 20:03
Thank you so much, I was able to locate both of these file (`manager.xml` and `tomcat-users.xml`) in their "correct" spots by doing this. Are you familiar enough to know what the reprecussions of making these changes in running container are? Do I need to stop/start? I know I can commit when closing container to create new image, is this necessary for changes to take effect? I can't say thanks enough for helping me get unstuck! — SCunningPaul, Feb 02 '21 at 20:36
The container should be fine, but if you recreate it from the image, the changes will be gone. So commit it to another image, so you'll have a working image. — Piotr P. Karwasz, Feb 02 '21 at 21:57
Unfortunately I can't edit any of the files in the container from the command line because the container doesn't seem to have vim, nano, etc and running apt-get install in container didn't work. I'm thinking the answer lies in rewriting the image with these changes, so I'll have to look more into composing docker images and making those changes. I'm now confused as to how the content is being retrieved as well, as the container seems to hold these files but if you make changes on live server it also has a webapps/root directory which is outside of container they are reflected on the live site. — SCunningPaul, Feb 03 '21 at 18:06
Usually there is a bind mount on `/var/lib/docker/overlay2/*/merged`, where `*` is some identifier. You can use it to access the containers' filesystem from the host. — Piotr P. Karwasz, Feb 03 '21 at 18:10
my `/var/lib/docker` directory on server doesn't have overlay2 and the directory in container doesn't `/lib/docker`. I will look into bind mounts and try to identify this location/function — SCunningPaul, Feb 03 '21 at 18:37
Ok so the storage driver in use here is aufs not overlay2, still in the process of tracking down the changes to be made but for anyone who sees in the future and needs that is what the overlay2 refers to is the storage driver. — SCunningPaul, Feb 04 '21 at 20:05

Tomcat 8 403 Access Denied on manager app (set up with Docker)

0 Answers0