Host manager / manager access.

["TurboChargedDad ." <li...@gmail.com>]

Java 8
Tomcat 8.5.20

  Hello,

 I am trying to understand how to get the host manager / manager access
working from somewhere other than the localhost.  I have tried all the
various methods out there on the web to no avail.  I keep getting the 403
access denied message.   I am at a total loss at this point..

Thanks in advance.

I hope this is readable as it's hard to tell what it's going to look like
in this gmail editor.

 I have tried creating the following files.

$CATALINA_BASE/conf/server.xml
########################################
  <Connector port="8080" protocol="HTTP/1.1"  redirectPort="8080"
setIPVHosts="true" />
########################################

$CATALINA_BASE/conf/Catalina/localhost/magager.xml

########################################
<?xml version='1.0' encoding='utf-8'?>


<!-- <Context privileged="true" antiResourceLocking="false"
         docBase="${catalina.home}/webapps/manager">
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.0\.0\.1" />
</Context> -->


<!-- <Context privileged="true" antiResourceLocking="false"
         docBase="${catalina.home}/webapps/manager">
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="0\.0\.0\.0" />
</Context> -->

<Context privileged="true" antiResourceLocking="false"
         docBase="${catalina.home}/webapps/manager">
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="^.*$" />
</Context>
########################################

$CATALINA_BASE/webapps/host-manager/WEB-INF/context.xml

########################################
<?xml version='1.0' encoding='utf-8'?>

<!-- <Context antiResourceLocking="false" privileged="true" >
       <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|156.45.121.182" />
</Context> -->

<Context antiResourceLocking="false" privileged="true" >

  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow=".*" />
</Context>

<!--  <Manager
sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
-->
########################################

$CATALINA_BASE/webapps/manager/WEB-INF/context.xml

########################################
<?xml version='1.0' encoding='utf-8'?>

<!-- <Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|156.45.121.182" />
</Context> -->

<Context antiResourceLocking="false" privileged="true" >

  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow=".*" />
</Context>

<!--  <Manager
sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
-->
########################################

$CATALINA_BASE/conf/ tomcat-users.xml

<?xml version='1.0' encoding='utf-8'?>
<!--
CENSORED
-->
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
<tomcat-users>
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
   version="1.0">

 <user username="test1" password="password1" roles="manager-gui"/>
 <user username="test2" password="password2" roles="manager-script"/>
 <user username="test3" password="password3" roles="manager-jmx"/>
 <user username="test4" password="password4" roles="manager-status"/>
 <user username="test5" password=" password5 " roles="admin-gui"/>
 <user username="test6" password="password6" roles="admin-script"/>

<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this
app,
  you must define such a user - the username and password are arbitrary.
-->
<!--
  NOTE:  The sample user and role entries below are wrapped in a comment
  and thus are ignored when reading this file. Do not forget to remove
  <!. ..> that surrounds them.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
-->
</tomcat-users>
########################################

Re: Host manager / manager access.

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Turbo,

On 2/4/19 10:13, TurboChargedDad . wrote:
> Java 8 Tomcat 8.5.20

Thanks.

> I am trying to understand how to get the host manager / manager
> access working from somewhere other than the localhost.  I have
> tried all the various methods out there on the web to no avail.  I
> keep getting the 403 access denied message.   I am at a total loss
> at this point..
> 
> Thanks in advance.
> 
> I hope this is readable as it's hard to tell what it's going to
> look like in this gmail editor.
> 
> I have tried creating the following files.
> 
> $CATALINA_BASE/conf/server.xml 
> ######################################## <Connector port="8080"
> protocol="HTTP/1.1"  redirectPort="8080" setIPVHosts="true" /> 
> ########################################

You shouldn't need any special configuration in conf/server.xml for
this, but it's good to see your connector port.

> $CATALINA_BASE/conf/Catalina/localhost/magager.xml
> 
> ######################################## <?xml version='1.0'
> encoding='utf-8'?>
> 
> 
> <!-- <Context privileged="true" antiResourceLocking="false" 
> docBase="${catalina.home}/webapps/manager"> <Valve
> className="org.apache.catalina.valves.RemoteAddrValve" 
> allow="127\.0\.0\.1" /> </Context> -->
> 
> 
> <!-- <Context privileged="true" antiResourceLocking="false" 
> docBase="${catalina.home}/webapps/manager"> <Valve
> className="org.apache.catalina.valves.RemoteAddrValve" 
> allow="0\.0\.0\.0" /> </Context> -->
> 
> <Context privileged="true" antiResourceLocking="false" 
> docBase="${catalina.home}/webapps/manager"> <Valve
> className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$"
> /> </Context> ########################################

That looks okay to me, except that the filename is (almost certainly)
wrong. Transcribing typo?

If you are going to "allow all" in the RemoveAddrValve, then you may
as well just remove (or comment-out) the Valve altogether.

> $CATALINA_BASE/webapps/host-manager/WEB-INF/context.xml
> 
> ######################################## <?xml version='1.0'
> encoding='utf-8'?>
> 
> <!-- <Context antiResourceLocking="false" privileged="true" > 
> <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|156.45.121.182" /> 
> </Context> -->
> 
> <Context antiResourceLocking="false" privileged="true" >
> 
> <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
> allow=".*" /> </Context>
> 
> <!--  <Manager 
> sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|L
ong|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\
$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
>
> 
- -->
> ########################################

Same thing, here: just remove RemoteAddrValve if you want to "allow all"
.

> $CATALINA_BASE/webapps/manager/WEB-INF/context.xml
> 
> ######################################## <?xml version='1.0'
> encoding='utf-8'?>
> 
> <!-- <Context antiResourceLocking="false" privileged="true" > 
> <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|156.45.121.182" /> 
> </Context> -->
> 
> <Context antiResourceLocking="false" privileged="true" >
> 
> <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
> allow=".*" /> </Context>
> 
> <!--  <Manager 
> sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|L
ong|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\
$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
>
> 
- -->
> ########################################


Definitely undo your edits to manager/WEB-INF/context.xml if you have
a conf/Catalina/localhost/manager.xml -- the latter file will override
the former one.

> $CATALINA_BASE/conf/ tomcat-users.xml
> 
> <?xml version='1.0' encoding='utf-8'?> <!-- CENSORED --> <!-- 
> Licensed to the Apache Software Foundation (ASF) under one or more 
> contributor license agreements.  See the NOTICE file distributed
> with this work for additional information regarding copyright
> ownership. The ASF licenses this file to You under the Apache
> License, Version 2.0 (the "License"); you may not use this file
> except in compliance with the License.  You may obtain a copy of
> the License at
> 
> http://www.apache.org/licenses/LICENSE-2.0
> 
> Unless required by applicable law or agreed to in writing,
> software distributed under the License is distributed on an "AS IS"
> BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
> or implied. See the License for the specific language governing
> permissions and limitations under the License. <tomcat-users> --> 
> <tomcat-users xmlns="http://tomcat.apache.org/xml" 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" 
> version="1.0">
> 
> <user username="test1" password="password1" roles="manager-gui"/> 
> <user username="test2" password="password2"
> roles="manager-script"/> <user username="test3"
> password="password3" roles="manager-jmx"/> <user username="test4"
> password="password4" roles="manager-status"/> <user
> username="test5" password=" password5 " roles="admin-gui"/> <user
> username="test6" password="password6" roles="admin-script"/>
> 
> <!-- NOTE:  By default, no user is included in the "manager-gui"
> role required to operate the "/manager/html" web application.  If
> you wish to use this app, you must define such a user - the
> username and password are arbitrary. --> <!-- NOTE:  The sample
> user and role entries below are wrapped in a comment and thus are
> ignored when reading this file. Do not forget to remove <!. ..>
> that surrounds them. --> <!-- <role rolename="tomcat"/> <role
> rolename="role1"/> <user username="tomcat" password="tomcat"
> roles="tomcat"/> <user username="both" password="tomcat"
> roles="tomcat,role1"/> <user username="role1" password="tomcat"
> roles="role1"/> --> </tomcat-users> 
> ########################################

So, are you challenged for a username/password when you try to access
the manager? I don't see any <Realm> configured for your manager
(etc.) applications.

I think you want to add something like this to
conf/Catalina/localhost/manager.xml (and friends):

    <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
    </Realm>

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIyBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxYsyUACgkQHPApP6U8
pFifew/40bD3kduI6EeZaWSEAiInz/H3K14pBbSxy+dQ38FiNyJI1/DJuhNFUwlB
OYKkPujVuwzcOtoXgHwAniPAFHITB+9SGfxYmif7/FpF3LbwWl4quQZtjGjqhF4f
cu5JV9r44lwW4qD5HeurzDAuep2VlZEFzT+vV961noRXXGsnTmjuS726j9imqYRR
p9CFDxLnVWUNxHwYC7bUc2591aO+0dCdnhEM5xWhsPJ34Wa+0uvLg/FwSscXhEP5
C3al/DAkl8GhS5b5q4aoWi2W2uBzlWwxDRlw/klN3M1Y0FvRoJex8WJlo/PeCYZR
A27kxSiFu5i7G2cr0rayUt/ejJlTJ73vfGbzeH2kPFa60X7+FtLREQLRdVN9tcVQ
PPP4kGvcXA4kbvaRn/a8lM3bPtbgRI/IqHkVRj3h8y0cmB/V47exfezwuWHhIdiQ
ZdpdMYgM4dpSf8GC//FxCDxwiV5Q7VDUychZdYEnLOLvX4ArpsLQTUqI5hBlkKHZ
wwqj9IHUrWq9d0WRDWQoMFn96o0bRIofjbeQBF2eeu7t14UUoR1CMbX/iCUiP4Gg
KPjtT66Jf6D4WPOnmoVHZt6c33ipKruVrBJfaHXhlxJPuRm+tHFbopdntC7uF38t
tB4AMa9QJp72DE8dqGlbQyWequcFJUK/oDhV6W+FC8u8kJzgvg==
=ETQ/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org