You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bill Wang <bw...@gmail.com> on 2011/11/24 04:27:11 UTC
Tomcat user roles
Hi Tomcat guru,
I have questions for the tomcat user roles setup.
On-call team (24*7 support) need permission to restart one tomcat
services, if they get call. I think it is maybe possible to let them
restart tomcat throught "Tomcat Web Application Manager" (the admin url
http://server:port/manager)
My request is, I can't give the admin username and password directly to
on-call team, admin account can not only restart the application, it can
deploy and undeploy applications, that's too dangerous.
So how can I setup the tomcat-users.xml or other config file to let on-call
team has only permission to restart that particular application, not else.
Regards,
Bill
Re: Tomcat user roles
Posted by Pid * <pi...@pidster.com>.
On 25 Nov 2011, at 04:43, Bill Wang <bw...@gmail.com> wrote:
> Hi Mark,
>
> Thanks, with your help, I find out this link:
> http://onjava.com/onjava/2001/07/24/tomcat.html,
2001! :)
p
> seems you need me setup
> MemoryRealm, then setup security constraint
> in webapps/manager/WEB-INF/web.xml
>
> There is an exist role "manager" , I try to understand it and add a new
> role "restart" in this web.xml, always get permission deny.
>
> So could you please give some instruction on how to setup below URL to that
> role "restart" only?
>
> http://hostname:8181/manager/html/stop?path=/APPNAME
> http://hostname:8181/manager/html/start?path=/APPNAME
>
> Regards,
> Bill
> On Thu, Nov 24, 2011 at 7:06 PM, <ma...@apache.org> wrote:
>
>> Bill Wang <bw...@gmail.com> wrote:
>>
>>> Hi Tomcat guru,
>>>
>>> I have questions for the tomcat user roles setup.
>>>
>>> On-call team (24*7 support) need permission to restart one tomcat
>>> services, if they get call. I think it is maybe possible to let them
>>> restart tomcat throught "Tomcat Web Application Manager" (the admin url
>>> http://server:port/manager)
>>>
>>> My request is, I can't give the admin username and password directly to
>>> on-call team, admin account can not only restart the application, it
>>> can
>>> deploy and undeploy applications, that's too dangerous.
>>>
>>> So how can I setup the tomcat-users.xml or other config file to let
>>> on-call
>>> team has only permission to restart that particular application, not
>>> else.
>>>
>>> Regards,
>>> Bill
>>
>> You can create a new role in web.xml called restart and limit it to the
>> list, start and stop commands since each command is part of the URL. Then
>> you assign that role to a new user in your Realm.
>>
>> I'm on my phone so can't give an exact example. If that isn't enough info,
>> I'm sure someone else can fill in the gaps for you.
>>
>> Mark
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat user roles
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bill,
On 12/8/11 7:33 PM, Bill Wang wrote:
> Thanks to all for the explanation.
>
> I have a new question regarding the admin role.
>
> With default setup, if I login as admin, I can start,stop, undeploy
> and deploy the application. Now, because the admin password has
> been shared by team, and I can't not share it with team.
Why not use a more elaborate user database that lets you manage lots
of users? There's no need to have shared passwords.
> So I plan to disable undeploy and deploy function from the web
> admin URL for the admin account. If anyone need deploy new version,
> they have to login the Unix box to do it manually. With that I can
> trace and have records easily.
Ok.
I would argue that letting people log into a web-based UI to do
restarts, etc. is safer than giving them shell access, but that's your
business.
> So I edit the file webapps/manager/WEB-INF/web.xml, and remove all
> the xml sessions for remove, install, undeploy, deploy and save.
> But after I restart the tomcat server, *I still can deploy and
> undeploy*.
I suspect you only removed the <security-constraint> sections: that
will open those operations to anyone who knows those URLs, which is
obviously not what you want.
If you have changed the admin password so nobody else knows it and you
will require them to login to a shell, then why do you have to modify
the manager configuration at all?
> Below are the lines I remove from the web.xml file.
>
> <servlet-mapping> <servlet-name>Manager</servlet-name>
> <url-pattern>/install</url-pattern> </servlet-mapping>
Are you sure you removed those lines? If you *have* removed them, then
you haven't properly re-deployed the webapp.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7mTykACgkQ9CaO5/Lv0PBiZQCfZkqMvu6AJeiXvhK+S4EPMdiI
PAcAnRt68Ybufzp12ZPODvvbnzbJifmu
=i/JX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat user roles
Posted by Bill Wang <bw...@gmail.com>.
Thanks to all for the explanation.
I have a new question regarding the admin role.
With default setup, if I login as admin, I can start,stop, undeploy and
deploy the application. Now, because the admin password has been shared by
team, and I can't not share it with team.
So I plan to disable undeploy and deploy function from the web admin URL
for the admin account. If anyone need deploy new version, they have to
login the Unix box to do it manually. With that I can trace and have
records easily.
So I edit the file webapps/manager/WEB-INF/web.xml, and remove all the xml
sessions for remove, install, undeploy, deploy and save. But after I
restart the tomcat server, *I still can deploy and undeploy*.
Something I missed?
part of tomcat-users.xml
<role rolename="manager"/>
<role rolename="tomcat"/>
<role rolename="admin"/>
<role rolename="role1"/>
<role rolename="monitoring"/>
<user username="admin" password="XXX" roles="admin,manager"/>
<user username="monitoring" password="XXX" roles="monitoring"/>
Below are the lines I remove from the web.xml file.
<servlet-mapping>
<servlet-name>Manager</servlet-name>
<url-pattern>/install</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Manager</servlet-name>
<url-pattern>/remove</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Manager</servlet-name>
<url-pattern>/deploy</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Manager</servlet-name>
<url-pattern>/undeploy</url-pattern>
</servlet-mapping>
<url-pattern>/remove</url-pattern>
<url-pattern>/deploy</url-pattern>
<url-pattern>/undeploy</url-pattern>
<url-pattern>/reload</url-pattern>
I don't find the admin part in web.xml.
Regards,
Bill
On Wed, Nov 30, 2011 at 5:25 AM, Mark Thomas <ma...@apache.org> wrote:
> On 29/11/2011 17:05, Christopher Schultz wrote:
> > Mark,
> >
> > On 11/29/11 11:15 AM, markt@apache.org wrote:
> >> Christopher Schultz <ch...@christopherschultz.net> wrote:
> >
> >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>>
> >>> Bill,
> >>>
> >>> On 11/28/11 7:08 PM, Bill Wang wrote:
> >>>> Here I have the last question, what's the reload option, is
> >>>> it same as stop/start?
> >>>
> >>> According to markt (who is known to be occasionally
> >>> trustworthy):
> >>>
> >>> reload = stop + start
> >
> >> I'm pretty sure I didn't say that.
> >
> > Sorry, you said:
> >
> > On 11/25/11 12:47 PM, Mark Thomas wrote:
> >> There is no such command as restart. You'll need:
> >> <url-pattern>/html/stop</url-pattern>
> >> <url-pattern>/html/start</url-pattern>
> >
> > I drew my own (perhaps incorrect) conclusion from that.
>
> In short:
> reload != restart
>
> Fuller explanation below. There is a subtle but important difference.
>
> Mark
>
> >> Reload keeps the same Context object (and doesn't reread the
> >> Context config) but does re-read web.xml and allows Jars to be
> >> updated.
> >
> >> Stop/start creates a new Context object (as well as re-reading
> >> web.xml) and is therefore is a full restart of the context.
> >> Reload is sort of half a restart. There is no single command
> >> equivalent to stop/start.
> >
> > Gotcha.
> >
> > -chris
> >
> > ---------------------------------------------------------------------
> >
> >
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat user roles
Posted by Mark Thomas <ma...@apache.org>.
On 29/11/2011 17:05, Christopher Schultz wrote:
> Mark,
>
> On 11/29/11 11:15 AM, markt@apache.org wrote:
>> Christopher Schultz <ch...@christopherschultz.net> wrote:
>
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> Bill,
>>>
>>> On 11/28/11 7:08 PM, Bill Wang wrote:
>>>> Here I have the last question, what's the reload option, is
>>>> it same as stop/start?
>>>
>>> According to markt (who is known to be occasionally
>>> trustworthy):
>>>
>>> reload = stop + start
>
>> I'm pretty sure I didn't say that.
>
> Sorry, you said:
>
> On 11/25/11 12:47 PM, Mark Thomas wrote:
>> There is no such command as restart. You'll need:
>> <url-pattern>/html/stop</url-pattern>
>> <url-pattern>/html/start</url-pattern>
>
> I drew my own (perhaps incorrect) conclusion from that.
In short:
reload != restart
Fuller explanation below. There is a subtle but important difference.
Mark
>> Reload keeps the same Context object (and doesn't reread the
>> Context config) but does re-read web.xml and allows Jars to be
>> updated.
>
>> Stop/start creates a new Context object (as well as re-reading
>> web.xml) and is therefore is a full restart of the context.
>> Reload is sort of half a restart. There is no single command
>> equivalent to stop/start.
>
> Gotcha.
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat user roles
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 11/29/11 11:15 AM, markt@apache.org wrote:
> Christopher Schultz <ch...@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> Bill,
>>
>> On 11/28/11 7:08 PM, Bill Wang wrote:
>>> Here I have the last question, what's the reload option, is it
>>> same as stop/start?
>>
>> According to markt (who is known to be occasionally
>> trustworthy):
>>
>> reload = stop + start
>
> I'm pretty sure I didn't say that.
Sorry, you said:
On 11/25/11 12:47 PM, Mark Thomas wrote:
> There is no such command as restart. You'll need:
> <url-pattern>/html/stop</url-pattern>
> <url-pattern>/html/start</url-pattern>
I drew my own (perhaps incorrect) conclusion from that.
> Reload keeps the same Context object (and doesn't reread the
> Context config) but does re-read web.xml and allows Jars to be
> updated.
>
> Stop/start creates a new Context object (as well as re-reading
> web.xml) and is therefore is a full restart of the context. Reload
> is sort of half a restart. There is no single command equivalent to
> stop/start.
Gotcha.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7VEOEACgkQ9CaO5/Lv0PDCHQCgqK7NnODpEKlyIFWuggxNawID
r/UAoKMYzcmqzjw2t1UYyEuF3dJSDuen
=ZQQk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat user roles
Posted by ma...@apache.org.
Christopher Schultz <ch...@christopherschultz.net> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Bill,
>
>On 11/28/11 7:08 PM, Bill Wang wrote:
>> Here I have the last question, what's the reload option, is it same
>> as stop/start?
>
>According to markt (who is known to be occasionally trustworthy):
>
> reload = stop + start
I'm pretty sure I didn't say that.
Reload keeps the same Context object (and doesn't reread the Context config) but does re-read web.xml and allows Jars to be updated.
Stop/start creates a new Context object (as well as re-reading web.xml) and is therefore is a full restart of the context. Reload is sort of half a restart. There is no single command equivalent to stop/start.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat user roles
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bill,
On 11/28/11 7:08 PM, Bill Wang wrote:
> Here I have the last question, what's the reload option, is it same
> as stop/start?
According to markt (who is known to be occasionally trustworthy):
reload = stop + start
> If it is, maybe I just need assign /html/reload to on-call team
Mark says there's no reload command... only stop+start.
It might be nice to have a "reload" command for just this purpose.
Care to take a look at the manager app and submit a patch?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7U+mQACgkQ9CaO5/Lv0PAHOgCeIGstptEEQHPm08/y5M7+G6S3
HNoAnjEQmeXUqmTiUoFb9agfrciQ/eKm
=v81e
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat user roles
Posted by Bill Wang <bw...@gmail.com>.
Thanks for everyone who replied me. I successfully did it.
Now on-call team can stop/start the tomcat instances by themselves, but
with other action,such as deploy, undeploy, check server status, they will
get "access denied ".
*
*
That's perfect.
Here I have the last question, what's the reload option, is it same as
stop/start?
If it is, maybe I just need assign /html/reload to on-call team
Regards,
Bill
On Sat, Nov 26, 2011 at 5:53 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark,
>
> On 11/25/11 12:47 PM, Mark Thomas wrote:
> > There is no such command as restart. You'll need:
> > <url-pattern>/html/stop</url-pattern>
> > <url-pattern>/html/start</url-pattern>
>
> Whoops. Thanks for catching that.
>
> > You'll probably want: <url-pattern>/html/list</url-pattern> as
> > well.
>
> +1
>
> - -chrs
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEUEARECAAYFAk7P5EAACgkQ9CaO5/Lv0PANjgCgt7PvxplfvSpeR3Z7TJF8+kHN
> S9QAl3kZqiTIxMiGyI27YJmz7zVZ11U=
> =OHNN
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat user roles
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 11/25/11 12:47 PM, Mark Thomas wrote:
> There is no such command as restart. You'll need:
> <url-pattern>/html/stop</url-pattern>
> <url-pattern>/html/start</url-pattern>
Whoops. Thanks for catching that.
> You'll probably want: <url-pattern>/html/list</url-pattern> as
> well.
+1
- -chrs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEUEARECAAYFAk7P5EAACgkQ9CaO5/Lv0PANjgCgt7PvxplfvSpeR3Z7TJF8+kHN
S9QAl3kZqiTIxMiGyI27YJmz7zVZ11U=
=OHNN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat user roles
Posted by Mark Thomas <ma...@apache.org>.
On 25/11/2011 15:10, Christopher Schultz wrote:
> Bill,
>
> On 11/24/11 11:42 PM, Bill Wang wrote:
>> Thanks, with your help, I find out this link:
>> http://onjava.com/onjava/2001/07/24/tomcat.html, seems you need
>> me setup MemoryRealm, then setup security constraint in
>> webapps/manager/WEB-INF/web.xml
>
> Wow, you didn't have any protection on your manager webapp? You
> should already have had some kind of Realm configured. If you
> already had a Realm configured, then you didn't need to enable
> MemoryRealm (which is mostly a toy for doing simple authentication
> kind of like htpasswd is for Apache httpd).
>
>> There is an exist role "manager" , I try to understand it and add
>> a new role "restart" in this web.xml, always get permission
>> deny.
>
> Post what you've got in your web.xml for <security-constraint> and
> <user-role> and we'll take a look.
>
>> So could you please give some instruction on how to setup below
>> URL to that role "restart" only?
>
>> http://hostname:8181/manager/html/stop?path=/APPNAME
>> http://hostname:8181/manager/html/start?path=/APPNAME
>
> You really need to read the servlet spec for an explanation of how
> to set up authorization in web.xml. Briefly, you're going to want
> something like this new <security-constraint> in your web.xml:
>
> <security-constraint> <web-resource-collection>
> <web-resource-name>Just Restarts through the Web
> UI</web-resource-name> <url-pattern>/html/restart</url-pattern>
There is no such command as restart. You'll need:
<url-pattern>/html/stop</url-pattern>
<url-pattern>/html/start</url-pattern>
You'll probably want:
<url-pattern>/html/list</url-pattern>
as well.
Mark
> </web-resource-collection> <auth-constraint>
> <role-name>manager-gui</role-name>
> <role-name>manager-gui-restart</role-name> </auth-constraint>
> </security-constraint>
>
> ...
>
> <security-role> <description> People who can restart webapps.
> </description> <role-name>manager-gui-restart</role-name>
> </security-role>
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat user roles
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bill,
On 11/24/11 11:42 PM, Bill Wang wrote:
> Thanks, with your help, I find out this link:
> http://onjava.com/onjava/2001/07/24/tomcat.html, seems you need me
> setup MemoryRealm, then setup security constraint in
> webapps/manager/WEB-INF/web.xml
Wow, you didn't have any protection on your manager webapp? You should
already have had some kind of Realm configured. If you already had a
Realm configured, then you didn't need to enable MemoryRealm (which is
mostly a toy for doing simple authentication kind of like htpasswd is
for Apache httpd).
> There is an exist role "manager" , I try to understand it and add a
> new role "restart" in this web.xml, always get permission deny.
Post what you've got in your web.xml for <security-constraint> and
<user-role> and we'll take a look.
> So could you please give some instruction on how to setup below URL
> to that role "restart" only?
>
> http://hostname:8181/manager/html/stop?path=/APPNAME
> http://hostname:8181/manager/html/start?path=/APPNAME
You really need to read the servlet spec for an explanation of how to
set up authorization in web.xml. Briefly, you're going to want
something like this new <security-constraint> in your web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Just Restarts through the Web
UI</web-resource-name>
<url-pattern>/html/restart</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager-gui</role-name>
<role-name>manager-gui-restart</role-name>
</auth-constraint>
</security-constraint>
...
<security-role>
<description>
People who can restart webapps.
</description>
<role-name>manager-gui-restart</role-name>
</security-role>
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7Pr9EACgkQ9CaO5/Lv0PDwEACfTkyZuxmG6n4sa3EJS46VX7m0
xeMAnRpYTN+fdgttp6p4rSn6iJje9dtr
=BVtE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat user roles
Posted by Bill Wang <bw...@gmail.com>.
Hi Mark,
Thanks, with your help, I find out this link:
http://onjava.com/onjava/2001/07/24/tomcat.html, seems you need me setup
MemoryRealm, then setup security constraint
in webapps/manager/WEB-INF/web.xml
There is an exist role "manager" , I try to understand it and add a new
role "restart" in this web.xml, always get permission deny.
So could you please give some instruction on how to setup below URL to that
role "restart" only?
http://hostname:8181/manager/html/stop?path=/APPNAME
http://hostname:8181/manager/html/start?path=/APPNAME
Regards,
Bill
On Thu, Nov 24, 2011 at 7:06 PM, <ma...@apache.org> wrote:
> Bill Wang <bw...@gmail.com> wrote:
>
> >Hi Tomcat guru,
> >
> >I have questions for the tomcat user roles setup.
> >
> >On-call team (24*7 support) need permission to restart one tomcat
> >services, if they get call. I think it is maybe possible to let them
> >restart tomcat throught "Tomcat Web Application Manager" (the admin url
> >http://server:port/manager)
> >
> >My request is, I can't give the admin username and password directly to
> >on-call team, admin account can not only restart the application, it
> >can
> >deploy and undeploy applications, that's too dangerous.
> >
> >So how can I setup the tomcat-users.xml or other config file to let
> >on-call
> >team has only permission to restart that particular application, not
> >else.
> >
> >Regards,
> >Bill
>
> You can create a new role in web.xml called restart and limit it to the
> list, start and stop commands since each command is part of the URL. Then
> you assign that role to a new user in your Realm.
>
> I'm on my phone so can't give an exact example. If that isn't enough info,
> I'm sure someone else can fill in the gaps for you.
>
> Mark
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat user roles
Posted by ma...@apache.org.
Bill Wang <bw...@gmail.com> wrote:
>Hi Tomcat guru,
>
>I have questions for the tomcat user roles setup.
>
>On-call team (24*7 support) need permission to restart one tomcat
>services, if they get call. I think it is maybe possible to let them
>restart tomcat throught "Tomcat Web Application Manager" (the admin url
>http://server:port/manager)
>
>My request is, I can't give the admin username and password directly to
>on-call team, admin account can not only restart the application, it
>can
>deploy and undeploy applications, that's too dangerous.
>
>So how can I setup the tomcat-users.xml or other config file to let
>on-call
>team has only permission to restart that particular application, not
>else.
>
>Regards,
>Bill
You can create a new role in web.xml called restart and limit it to the list, start and stop commands since each command is part of the URL. Then you assign that role to a new user in your Realm.
I'm on my phone so can't give an exact example. If that isn't enough info, I'm sure someone else can fill in the gaps for you.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org