• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

tomcat manager autentication problem

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi all
I have a problem with the tomcat manager autentication

I'm working on
Oracle Linux Server release 5.7
with
Apache Tomcat Version 6.0.29

I add the user and the role in the conf file conf/tomcat-users.xml


when I try to access to the tomcat manager page on my lan
http://orcldb01/manager/html
where orcdb01 is the machine name
it ask me for user and password
but it don't autenticate me correctly , and it show me the message:


You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file will contain the credentials to let you use this webapp.

You will need to add manager role to the config file listed above. For example:

<role rolename="manager"/>
<user username="tomcat" password="s3cret" roles="manager"/>

I added the role but nothing changed

here my tomcat-users.xml

<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="tomcat"/>
<role rolename="manager"/>
<user username="CN=Alfresco Repository Client, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" roles="repoclient" password="null"/>
<user username="CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" roles="repository" password="null"/>
<user username="admin" password="testpwd" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,tomcat"/>
<user username="tomcat" password="testpwd" roles="manager"/>
</tomcat-users>

with both users admin or tomcat it don't allow me to enter the tomcat manager page

anybody can help me please ?
thanks in advance
Fabio
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Fabio!

Tomcat uses a set of plug-in security managers rather than a single fixed security manager. These different managers (called Realms) allow a choice to be made in where the user IDs, passwords and authorization groups are stored. They can be in databases, LDAP, Kerberos-managed, or even custom or composite Realms.

The tomcat-users.xml file was originally used by the MemoryRealm and it's good for testing, although not for production use. There are (I think) 2 additional Realms that use it as well these days. However, to get any use out of tomcat-users.xml, you have to activate one of those Realms. As shipped, there are no Realms assigned either to the server as a whole or to any individual webapps within the server. There are some samples in server.xml, but they are all commented out. So you have to uncomment one of them.
 
Fabio Marcon
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:Welcome to the JavaRanch, Fabio!


thank you very much Tim and thanks for the help

Tim Holloway wrote:

The tomcat-users.xml file was originally used by the MemoryRealm and it's good for testing, although not for production use. There are (I think) 2 additional Realms that use it as well these days. However, to get any use out of tomcat-users.xml, you have to activate one of those Realms. As shipped, there are no Realms assigned either to the server as a whole or to any individual webapps within the server. There are some samples in server.xml, but they are all commented out. So you have to uncomment one of them.



in the server.xml a realm for conf/tomcat-users.xml seems to be active , a work mate did it (before he pass me the problem ) :

<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>

but I think I miss something cos it don't work

thanks for any suggestion
Fabio
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You need to check the docs and see what roles those users have to have for that version of Tomcat manager webapp and add them. The default tomcat-users.xml file prefers security over convenience, so they aren't assigned as shipped.

The LDAP expressions on the other user accounts aren't workable, but that's another story. If you actually want LDAP authentication, they need to be authenticated by an LDAP Realm.
 
Fabio Marcon
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:You need to check the docs and see what roles those users have to have for that version of Tomcat manager webapp and add them. The default tomcat-users.xml file prefers security over convenience, so they aren't assigned as shipped.



from the doc the role seem to be the "manager"
I create another tomcat on a different port (9091) , and I cleaned all the the alfresco application stuff , (now in this test enviroment I can add all the roles I like )
at
http://orcldb01:9091/manager/html
it keep telling me :
401 Unauthorized

Tim Holloway wrote:
The LDAP expressions on the other user accounts aren't workable, but that's another story. If you actually want LDAP authentication, they need to be authenticated by an LDAP Realm.



the alfresco app with LDAP worked fine , anyway I removed in the new tomcat
I just need to test the Tomcat Manager Application with the simply autentication of tomcat-users.xml

I also added an entry on web.xml with the role manager
<security-constraint>
<web-resource-collection>
<web-resource-name>Tomcat Manager Application</web-resource-name>
<url-pattern>/manager/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>manager</realm-name>
</login-config>


but nothing changed
just if I put /* it don't allow me to see even the test index.html

with /manager/*

the test index.html at the link
http://orcldb01:9091/
works fine
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You should not have to modify the manager webapp (including its web.xml) in any way. However, the reason I recommended checking the Tomcat documentation is that the manager webapp supports several different user roles. The exact list of available roles changes depending on what version of Tomcat (or more precisely the manager webapp for Tomcat). There are probably 7-8 different roles in Tomcat7 and I think about 4-5 in Tomcat 6 and their names changed, too, I believe.

There are actually 2 different aspects of security managed by the Realm:

1. Authentication. When you are not logged in and you request a protected URL, Tomcat will take over, present the login screen (or dialog), and validate the user's credentials (user ID, password). For BASIC authentication, this results in a "403" response being sent back to the client in order to get the client to present the login dialog.

2. Authorization. After a user has been authenticated (and thereby established the user's identity) the URL is screened against the URL patterns defined in web.xml to see if any of the roles assigned for that particular user ID match the acceptable roles allowed for that URL. Failure to establish a match results in a "401" response.
 
"I know this defies the law of gravity... but I never studied law." -B. Bunny Defiant tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic