You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Shanti Suresh <sh...@umich.edu> on 2013/04/23 19:46:34 UTC
Tomcat 7.0.33 manager - 403 Access Denied
All,
I am wondering what I'm doing wrong - the Manager application is denying me
access.
Here are the details:
Tomcat version:
7.0.33
JDK version:
java version "1.7.0_09"
Java(TM) SE Runtime Environment (build 1.7.0_09-b05)
Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode)
Operating System:
RedHat Linus - 2.6.18-348.4.1.el5
Steps I took to permit "manager":
(1) ------------$CATALINA_HOME/conf/Catalina/localhost/manager.xml------:
<Context path="/manager" privileged="true" antiResourceLocking="false"
docBase="${catalina.home}/webapps/manager" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1"/>
</Context>
--------------------------------
(2) ------$CATALINA_HOME/conf/tomcat-users.xml:------
<user username="jmxparty"
password="ggggggggr5678dcdddddddxxxxxx"
roles="standard,manager-jmx" />
-------------------
(3) --------$CATALINA_HOME/conf/server.xml:------Added digest=SHA:-----
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="SHA"/>
-----------------------
(4) Added heapused.jsp as follows:
$ cd $CATALINA_HOME/webapps/manager
$ more heapused.jsp
<jsp:forward page="/jmxproxy/">
<jsp:param name="get" value="java.lang:type=Memory" />
<jsp:param name="att" value="HeapMemoryUsage" />
<jsp:param name="key" value="used" />
</jsp:forward>
(5) Restarted Tomcat
(6) I get a 403 Access Denied upon:
curl http://localhost:8080/manager/heapused.jsp
I can't tell what I'm missing. Also, steps #2 and #3 are not even required
if I am using the RemoteAddrValve, correct?
Thanks.
-Shanti
Re: Tomcat 7.0.33 manager - 403 Access Denied
Posted by Konstantin Kolinko <kn...@gmail.com>.
2013/4/24 Shanti Suresh <sh...@umich.edu>:
> Hi Konstantin,
>
> On Tue, Apr 23, 2013 at 6:48 PM, Konstantin Kolinko
> <kn...@gmail.com>wrote:
>
>>
>> >
>> > I can't tell what I'm missing. Also, steps #2 and #3 are not even
>> required
>> > if I am using the RemoteAddrValve, correct?
>>
>> No. They are not related to RemoteAddrValve.
>>
>
> Thanks!
>
>
>>
>>
>> I would say that you should be stopped by CsrfPreventionFilter,
>> because your heapused.jsp is not in the list of configured entry
>> points.
>>
>
> Bingo!
>
>>
>> Shanti wrote:
>> > The funny thing is that I gather the JMX metrics in an identical manner
>> on
>> > Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers.
>>
>> CVE-2012-4431
>>
>
> Thanks so much!
>
> I am now able to get heapused.jsp to work. I only had to add heapused.jsp
> into web.xml. I did not need to add "/jmxroxy/".
>
> -----manager/WEB-INF/web.xml:-----
> <filter>
> <filter-name>CSRF</filter-name>
>
> <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
> <init-param>
> <param-name>entryPoints</param-name>
>
> <param-value>/html,/html/,/html/list,/heapused.jsp,/index.jsp</param-value>
> </init-param>
> </filter>
> --------------------
>
> curl http://localhost:6090/manager/heapused.jsp ==> gives me the value.
>
> One question I have though is that I have other JSP pages for gathering
> other JMX metrics. I would like to not have to list these individually as
> entry points. I tried to put these JSPs into a jmx/ sub-directory under
> manager/. I added: "<url-pattern>/jmx/*</url-pattern>" both individually
> as well as in conjunction with <init-param> in web.xml.
>
> <filter>
> <filter-name>CSRF</filter-name>
>
> <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
> <init-param>
> <param-name>entryPoints</param-name>
>
> <param-value>/html,/html/,/html/list,/jmx/,/heapused.jsp,/index.jsp</param-value>
> </init-param>
> <url-pattern>/jmx/*</url-pattern>
> </filter>
>
> But I got a 403 upon accessing:
>
> curl http://localhost:6090/manager/jmx/heapused.jsp
>
> The CSRF filter documentation did not mention "url-pattern":
> http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
>
> Is there a way to achieve what I'd like?
>
The source code is out there. You can subclass the filter, implement
your own, or propose a patch.
This feature was not needed, thus nobody implemented it.
Alternatively, it is possible to change filter mapping so that it is
not mapped to jsp servlet as a whole but to "/index.jsp" only (the
only publicly callable jsp page there).
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7.0.33 manager - 403 Access Denied
Posted by Shanti Suresh <sh...@umich.edu>.
Hi Konstantin,
On Tue, Apr 23, 2013 at 6:48 PM, Konstantin Kolinko
<kn...@gmail.com>wrote:
>
> >
> > I can't tell what I'm missing. Also, steps #2 and #3 are not even
> required
> > if I am using the RemoteAddrValve, correct?
>
> No. They are not related to RemoteAddrValve.
>
Thanks!
>
>
> I would say that you should be stopped by CsrfPreventionFilter,
> because your heapused.jsp is not in the list of configured entry
> points.
>
Bingo!
>
> Shanti wrote:
> > The funny thing is that I gather the JMX metrics in an identical manner
> on
> > Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers.
>
> CVE-2012-4431
>
Thanks so much!
I am now able to get heapused.jsp to work. I only had to add heapused.jsp
into web.xml. I did not need to add "/jmxroxy/".
-----manager/WEB-INF/web.xml:-----
<filter>
<filter-name>CSRF</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/html,/html/,/html/list,/heapused.jsp,/index.jsp</param-value>
</init-param>
</filter>
--------------------
curl http://localhost:6090/manager/heapused.jsp ==> gives me the value.
One question I have though is that I have other JSP pages for gathering
other JMX metrics. I would like to not have to list these individually as
entry points. I tried to put these JSPs into a jmx/ sub-directory under
manager/. I added: "<url-pattern>/jmx/*</url-pattern>" both individually
as well as in conjunction with <init-param> in web.xml.
<filter>
<filter-name>CSRF</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/html,/html/,/html/list,/jmx/,/heapused.jsp,/index.jsp</param-value>
</init-param>
<url-pattern>/jmx/*</url-pattern>
</filter>
But I got a 403 upon accessing:
curl http://localhost:6090/manager/jmx/heapused.jsp
The CSRF filter documentation did not mention "url-pattern":
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
Is there a way to achieve what I'd like?
Thanks!
-Shanti
Re: Tomcat 7.0.33 manager - 403 Access Denied
Posted by Konstantin Kolinko <kn...@gmail.com>.
2013/4/23 Shanti Suresh <sh...@umich.edu>:
> All,
>
> I am wondering what I'm doing wrong - the Manager application is denying me
> access.
> Here are the details:
>
> Tomcat version:
> 7.0.33
> JDK version:
> java version "1.7.0_09"
> Java(TM) SE Runtime Environment (build 1.7.0_09-b05)
> Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode)
> Operating System:
> RedHat Linus - 2.6.18-348.4.1.el5
>
> Steps I took to permit "manager":
> (1) ------------$CATALINA_HOME/conf/Catalina/localhost/manager.xml------:
> <Context path="/manager" privileged="true" antiResourceLocking="false"
> docBase="${catalina.home}/webapps/manager" >
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.0\.0\.1"/>
> </Context>
> --------------------------------
>
> (2) ------$CATALINA_HOME/conf/tomcat-users.xml:------
> <user username="jmxparty"
> password="ggggggggr5678dcdddddddxxxxxx"
> roles="standard,manager-jmx" />
> -------------------
>
> (3) --------$CATALINA_HOME/conf/server.xml:------Added digest=SHA:-----
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase" digest="SHA"/>
>
> -----------------------
>
> (4) Added heapused.jsp as follows:
> $ cd $CATALINA_HOME/webapps/manager
> $ more heapused.jsp
> <jsp:forward page="/jmxproxy/">
> <jsp:param name="get" value="java.lang:type=Memory" />
> <jsp:param name="att" value="HeapMemoryUsage" />
> <jsp:param name="key" value="used" />
> </jsp:forward>
>
> (5) Restarted Tomcat
>
> (6) I get a 403 Access Denied upon:
> curl http://localhost:8080/manager/heapused.jsp
>
> I can't tell what I'm missing. Also, steps #2 and #3 are not even required
> if I am using the RemoteAddrValve, correct?
No. They are not related to RemoteAddrValve.
I would say that you should be stopped by CsrfPreventionFilter,
because your heapused.jsp is not in the list of configured entry
points.
Shanti wrote:
> The funny thing is that I gather the JMX metrics in an identical manner on
> Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers.
CVE-2012-4431
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 7.0.33 manager - 403 Access Denied
Posted by "Propes, Barry L " <ba...@citi.com>.
I'm not sure if it's applicable here, but I'll let you know my prior experience with this kind of thing on Tomcat 6.0.xx.
I've had to stop the manager app, clear out the work folder and I think maybe even delete the manager.xml file out of the conf\Catalina\localhost dir because it wasn't getting overwritten.
Not sure if this is happening to you or not.
-----Original Message-----
From: Shanti Suresh [mailto:shanti@umich.edu]
Sent: Tuesday, April 23, 2013 3:20 PM
To: Tomcat Users List
Subject: Re: Tomcat 7.0.33 manager - 403 Access Denied
Hi Jakub,
Thank you for the suggestions. Appreciate the thoughts.
On Tue, Apr 23, 2013 at 3:33 PM, Jakub 1983 <jj...@gmail.com> wrote:
> try to comment out RemoteAddrValve,
> and check if the error still exists
>
Yes, I had tried that. It didn't work.
> have you added <role rolename="manager-jmx"/> into users.xml ?
> add <role rolename="manager-gui"/> and try with web page, what is the
> error ?
>
>
Good idea. Adding a manager-jmx role entry didn't make a difference.
And, yes, I am able to access "/manager/html/". I logged in at the prompt.
> have you tried with bare
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/> - without sha ?
>
> Passwords work fine. So SHA is not the issue.
>
>
> for me, starting with pure downloaded latest tomcat 7, following
> configuration enables html manager:
> <role rolename="tomcat"/>
> <role rolename="manager-gui"/>
> <role rolename="admin"/>
> <user username="tomcat" password="tomcat"
> roles="tomcat,manager-gui,admin"/>
>
> HTML manager works for me too.
> download new tomcat,
>
Yes, I may have to do that.
> check if above conf works for you, than add manager-jmx, check with
> jmx and than add RemoteAddrValve, check, and than add sha.
>
The funny thing is that I gather the JMX metrics in an identical manner on Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers.
Thanks for letting me brainstorm.
-Shanti
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7.0.33 manager - 403 Access Denied
Posted by Shanti Suresh <sh...@umich.edu>.
Hi Jakub,
Thank you for the suggestions. Appreciate the thoughts.
On Tue, Apr 23, 2013 at 3:33 PM, Jakub 1983 <jj...@gmail.com> wrote:
> try to comment out RemoteAddrValve,
> and check if the error still exists
>
Yes, I had tried that. It didn't work.
> have you added <role rolename="manager-jmx"/> into users.xml ?
> add <role rolename="manager-gui"/> and try with web page, what is the error
> ?
>
>
Good idea. Adding a manager-jmx role entry didn't make a difference.
And, yes, I am able to access "/manager/html/". I logged in at the prompt.
> have you tried with bare
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/> - without sha ?
>
> Passwords work fine. So SHA is not the issue.
>
>
> for me, starting with pure downloaded latest tomcat 7, following
> configuration enables html manager:
> <role rolename="tomcat"/>
> <role rolename="manager-gui"/>
> <role rolename="admin"/>
> <user username="tomcat" password="tomcat"
> roles="tomcat,manager-gui,admin"/>
>
> HTML manager works for me too.
> download new tomcat,
>
Yes, I may have to do that.
> check if above conf works for you, than add manager-jmx, check with jmx
> and than add RemoteAddrValve, check, and than add sha.
>
The funny thing is that I gather the JMX metrics in an identical manner on
Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers.
Thanks for letting me brainstorm.
-Shanti
Re: Tomcat 7.0.33 manager - 403 Access Denied
Posted by Jakub 1983 <jj...@gmail.com>.
try to comment out RemoteAddrValve,
and check if the error still exists
have you added <role rolename="manager-jmx"/> into users.xml ?
add <role rolename="manager-gui"/> and try with web page, what is the error
?
have you tried with bare
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/> - without sha ?
for me, starting with pure downloaded latest tomcat 7, following
configuration enables html manager:
<role rolename="tomcat"/>
<role rolename="manager-gui"/>
<role rolename="admin"/>
<user username="tomcat" password="tomcat"
roles="tomcat,manager-gui,admin"/>
download new tomcat,
check if above conf works for you, than add manager-jmx, check with jmx
and than add RemoteAddrValve, check, and than add sha.
regards
Jakub
On Tue, Apr 23, 2013 at 8:20 PM, Shanti Suresh <sh...@umich.edu> wrote:
> Hi Leo,
>
>
> On Tue, Apr 23, 2013 at 1:56 PM, Leo Donahue - RDSA IT <
> LeoDonahue@mail.maricopa.gov> wrote:
>
> >
> >
> > Is that password really the SHA value of something?
> >
> > If your password was: password1, then you would store the SHA value of
> > "password1" in your tomcat-users.xml
> >
> >
> >
> Not the entry I posted. I munged it. But yes, I use the SHA digests of
> passwords in tomcat-users.xml.
>
> Thanks for checking.
>
> -Shanti
>
Re: Tomcat 7.0.33 manager - 403 Access Denied
Posted by Shanti Suresh <sh...@umich.edu>.
Hi Leo,
On Tue, Apr 23, 2013 at 1:56 PM, Leo Donahue - RDSA IT <
LeoDonahue@mail.maricopa.gov> wrote:
>
>
> Is that password really the SHA value of something?
>
> If your password was: password1, then you would store the SHA value of
> "password1" in your tomcat-users.xml
>
>
>
Not the entry I posted. I munged it. But yes, I use the SHA digests of
passwords in tomcat-users.xml.
Thanks for checking.
-Shanti
RE: Tomcat 7.0.33 manager - 403 Access Denied
Posted by Leo Donahue - RDSA IT <Le...@mail.maricopa.gov>.
>-----Original Message-----
>From: Shanti Suresh [mailto:shanti@umich.edu]
>Subject: Tomcat 7.0.33 manager - 403 Access Denied
>
>All,
>
>I am wondering what I'm doing wrong - the Manager application is denying me
>access.
>Here are the details:
>
>Tomcat version:
> 7.0.33
>JDK version:
> java version "1.7.0_09"
> Java(TM) SE Runtime Environment (build 1.7.0_09-b05)
> Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode) Operating
>System:
> RedHat Linus - 2.6.18-348.4.1.el5
>
>Steps I took to permit "manager":
>(1) ------------$CATALINA_HOME/conf/Catalina/localhost/manager.xml------:
><Context path="/manager" privileged="true" antiResourceLocking="false"
>docBase="${catalina.home}/webapps/manager" >
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
>allow="127\.0\.0\.1"/>
></Context>
>--------------------------------
>
>(2) ------$CATALINA_HOME/conf/tomcat-users.xml:------
> <user username="jmxparty"
> password="ggggggggr5678dcdddddddxxxxxx"
> roles="standard,manager-jmx" />
Is that password really the SHA value of something?
If your password was: password1, then you would store the SHA value of "password1" in your tomcat-users.xml
>-------------------
>
>(3) --------$CATALINA_HOME/conf/server.xml:------Added digest=SHA:-----
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase" digest="SHA"/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org