You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rob G <ro...@gmail.com> on 2010/03/12 15:06:25 UTC
Restrict access to Manager from local ip address (Tomcat 6.0/Windows)
Hey all,
My setup:
Windows Server 2003 SP2
Single instance of Apache HTTP Server 2.2.15 (C:\Apache)
Two instances of Apache Tomcat 6.0.24 in load balancing mode
(C:\tomcat1 and C:\tomcat2)
JK 1.2.30 used to connect the Apache front end to the two tomcat instances
I've trying to configure the tomcat instances so that the manager
webapp can only be access via browser on the Windows Server (i.e.
127.0.0.1).
I've RTFM, STFW and nothing seems to work.
I believe the process below is correct but it doesn't work. Can anyone
see where I'm going wrong?
1) I've edited the following file:
C:\tomcat1\webapps\manager\META-INF\context.xml.
2) It's contents is:
<?xml version="1.0" encoding="UTF-8"?>
<Context docBase="C:\tomcat1\webapps\manager" privileged="true"
antiResourceLocking="false" antiJARLocking="false">
<!-- Link to the user database we will get roles from -->
<ResourceLink name="users" global="UserDatabase"
type="org.apache.catalina.UserDatabase"/>
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1"/>
</Context>
3) I've stopped and started the tomcat1 service.
4) I try to access the manager webapp from a remote machine (
http://hostname:8080/manager/html) and I can get access.
I've also tried adding the text below to
C:\tomcat1\conf\Catalina\localhost\manager.xml
<Context path="/manager" docBase="C:\tomcat1\webapps\manager"
debug="0" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1"/>
<!-- Link to the user database we will get roles from -->
<ResourceLink name="users" global="UserDatabase"
type="org.apache.catalina.UserDatabase"/>
</Context>
But no joy.
Any help appreciated! Thanks
Rob
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Restrict access to Manager from local ip address (Tomcat
6.0/Windows)
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Rob G [mailto:robatgumtree@gmail.com]
> Subject: Re: Restrict access to Manager from local ip address (Tomcat
> 6.0/Windows)
>
> Well I had looked at
> http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring
> Manager Application Access. And it has the docbase attribute too...
The only time the docBase attribute is allowed is when the webapp is located outside of the <Host> appBase directory - which it is, in the case described by the doc. (And the path attribute is only allowed when the <Context> element is in server.xml, which is strongly discouraged.)
I agree that the doc should be adjusted to reflect typical, not unusual, usage.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Restrict access to Manager from local ip address (Tomcat
6.0/Windows)
Posted by Rob G <ro...@gmail.com>.
Well I had looked at
http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring
Manager Application Access. And it has the docbase attribute too...
> All too common, unfortunately. Use the real Tomcat doc first, then Google.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Restrict access to Manager from local ip address (Tomcat
6.0/Windows)
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Rob G [mailto:robatgumtree@gmail.com]
> Subject: Re: Restrict access to Manager from local ip address (Tomcat
> 6.0/Windows)
>
> I had based my changes to the conf files based on these articles:
> http://www.unidata.ucar.edu/Projects/THREDDS/tech/reference/TomcatSecurity.html
> http://www.theserverside.com/tt/articles/content/TomcatSecurity/TomcatSecurity.pdf
>
> Obviously they weren't entirely correct.
All too common, unfortunately. Use the real Tomcat doc first, then Google.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Restrict access to Manager from local ip address (Tomcat
6.0/Windows)
Posted by Rob G <ro...@gmail.com>.
Charles and Mark,
Thanks for your help. Your advice on removing the docBase and
Resourcelink attibutes was correct and the restriction is now working
correctly.
I had based my changes to the conf files based on these articles:
http://www.unidata.ucar.edu/Projects/THREDDS/tech/reference/TomcatSecurity.html
http://www.theserverside.com/tt/articles/content/TomcatSecurity/TomcatSecurity.pdf
Obviously they weren't entirely correct.
Thanks again
Regards
Rob
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Restrict access to Manager from local ip address (Tomcat 6.0/Windows)
Posted by Mark Thomas <ma...@apache.org>.
On 12/03/2010 14:06, Rob G wrote:
> Hey all,
>
> My setup:
> Windows Server 2003 SP2
> Single instance of Apache HTTP Server 2.2.15 (C:\Apache)
> Two instances of Apache Tomcat 6.0.24 in load balancing mode
> (C:\tomcat1 and C:\tomcat2)
> JK 1.2.30 used to connect the Apache front end to the two tomcat instances
>
> I've trying to configure the tomcat instances so that the manager
> webapp can only be access via browser on the Windows Server (i.e.
> 127.0.0.1).
> I've RTFM, STFW and nothing seems to work.
>
> I believe the process below is correct but it doesn't work. Can anyone
> see where I'm going wrong?
>
> 1) I've edited the following file:
> C:\tomcat1\webapps\manager\META-INF\context.xml.
That won't have any effect.
> I've also tried adding the text below to
> C:\tomcat1\conf\Catalina\localhost\manager.xml
That is the one you need to edit.
> <Context path="/manager" docBase="C:\tomcat1\webapps\manager"
Remove the docBase attribute, it is invalid.
> debug="0" privileged="true">
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.0\.0\.1"/>
That looks OK to me.
> <!-- Link to the user database we will get roles from -->
> <ResourceLink name="users" global="UserDatabase"
> type="org.apache.catalina.UserDatabase"/>
That shouldn't be required.
> </Context>
>
> But no joy.
Did you restart after changing this file.
This works for me and to the best of my recollection, there haven't been
any changes to this code for a while. Checking svn shows they haven't
changed in over 3 years.
I'm also assuming your tests are bypassing httpd/mod_jk.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Restrict access to Manager from local ip address (Tomcat
6.0/Windows)
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Rob G [mailto:robatgumtree@gmail.com]
> Subject: Restrict access to Manager from local ip address (Tomcat
> 6.0/Windows)
>
> <Context docBase="C:\tomcat1\webapps\manager" privileged="true"
Take out the docBase attribute - it's not allowed here.
> <ResourceLink name="users" global="UserDatabase"
> type="org.apache.catalina.UserDatabase"/>
You don't need the above; that's for JNDI-accessed resources, not <Realm> usage.
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.0\.0\.1"/>
> </Context>
That should work (and does for me; see below).
> I've also tried adding the text below to
> C:\tomcat1\conf\Catalina\localhost\manager.xml
You should remove, not modify, the above file when making changes to the webapps/manager directory; the one in conf/Catalina/localhost will override anything in META-INF/context.xml.
> <Context path="/manager" docBase="C:\tomcat1\webapps\manager"
> debug="0" privileged="true">
The path, docBase, and debug attributes are not allowed.
After changing webapps/manager/META-INF/context.xml to the following:
<Context antiResourceLocking="false" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1,0\:0\:0\:0\:0\:0\:0\:1"/>
</Context>
I can access the manager from the same machine Tomcat is running on, but attempts from a remote browser receive the following:
HTTP Status 403 -
type Status report
message
description Access to the specified resource () has been forbidden.
Apache Tomcat/6.0.24
Here's the related access log:
0:0:0:0:0:0:0:1 - admin [12/Mar/2010:09:12:55 -0600] "GET /manager/html HTTP/1.1" 200 13050
0:0:0:0:0:0:0:1 - - [12/Mar/2010:09:12:55 -0600] "GET /manager/images/tomcat.gif HTTP/1.1" 304 -
0:0:0:0:0:0:0:1 - - [12/Mar/2010:09:12:55 -0600] "GET /manager/images/asf-logo.gif HTTP/1.1" 304 -
172.17.142.99 - - [12/Mar/2010:09:13:30 -0600] "GET /manager/html HTTP/1.1" 403 964
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org