You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kerapetse Phorano <ph...@gmail.com> on 2017/03/16 13:24:49 UTC
Tomcat issue
Hello,
Please assist. We have tomcat 9.0.0.M18
<http://tomcat.apache.org/download-90.cgi#9.0.0.M18> installed and running
successfully on Ubuntu Server.
We are experiencing an issue when we try to run tomcat manager from a
different PC.
We receive the following error message:
HTTP Status 403 – Forbidden
------------------------------
*Type* Status Report
*Description* The server understood the request but refuses to authorize it.
Regards,
Kerapetse
Re: Tomcat issue
Posted by Kerapetse Phorano <ph...@gmail.com>.
Thank you very much for your assistance.
Regards
Kerapetse
On Fri, Mar 17, 2017 at 10:50 AM, Olaf Kock <to...@olafkock.de> wrote:
>
>
> Am 17.03.2017 um 09:44 schrieb Kerapetse Phorano:
> > Ok i see that.
> > So if that is the case how do i access tomcat outside the localhost?
> >
> > Regards,
> > Kerapetse
> >
> > On Fri, Mar 17, 2017 at 9:44 AM, Olaf Kock <to...@olafkock.de> wrote:
> >
> >> Am 17.03.2017 um 07:04 schrieb Kerapetse Phorano:
> >>> I have set up an "admin" user with a password. The manager runs
> properly
> >> on > localhost but the error comes if it is accessed from a different
> PC.
> >> The manager app is deliberately preconfigured to only be available from
> >> localhost. If you open webapps/manager/META-INF/context.xml, you'll
> find
> >>
> >> <Context antiResourceLocking="false" privileged="true" >
> >> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> >> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
> >> </Context>
> >>
> >> which effectively denotes localhost in both IPV4 and IPV6 notation as
> >> the only allowed host accessing the application.
> >>
> >> Olaf
>
> 1. You question if this is really necessary, as the manager application
> will only be used at selected times for system administration - and
> uncomfortable system administration typically means uncomfortable
> hacking as well. It's just unnecessary to provide this attack surface to
> the world.
> 2. you really really really secure your application (e.g. configure a
> secure password, https, limit access through the firewall etc)
> 3. you configure the Valve element to include the IP address that you
> want to allow access, apart from localhost.
> 4. you remove the Valve element from context.xml
>
> It's totally fine not to execute all 4 steps - in fact, it'd be preferred.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat issue
Posted by Olaf Kock <to...@olafkock.de>.
Am 17.03.2017 um 09:44 schrieb Kerapetse Phorano:
> Ok i see that.
> So if that is the case how do i access tomcat outside the localhost?
>
> Regards,
> Kerapetse
>
> On Fri, Mar 17, 2017 at 9:44 AM, Olaf Kock <to...@olafkock.de> wrote:
>
>> Am 17.03.2017 um 07:04 schrieb Kerapetse Phorano:
>>> I have set up an "admin" user with a password. The manager runs properly
>> on > localhost but the error comes if it is accessed from a different PC.
>> The manager app is deliberately preconfigured to only be available from
>> localhost. If you open webapps/manager/META-INF/context.xml, you'll find
>>
>> <Context antiResourceLocking="false" privileged="true" >
>> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
>> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
>> </Context>
>>
>> which effectively denotes localhost in both IPV4 and IPV6 notation as
>> the only allowed host accessing the application.
>>
>> Olaf
1. You question if this is really necessary, as the manager application
will only be used at selected times for system administration - and
uncomfortable system administration typically means uncomfortable
hacking as well. It's just unnecessary to provide this attack surface to
the world.
2. you really really really secure your application (e.g. configure a
secure password, https, limit access through the firewall etc)
3. you configure the Valve element to include the IP address that you
want to allow access, apart from localhost.
4. you remove the Valve element from context.xml
It's totally fine not to execute all 4 steps - in fact, it'd be preferred.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat issue
Posted by Kerapetse Phorano <ph...@gmail.com>.
Ok i see that.
So if that is the case how do i access tomcat outside the localhost?
Regards,
Kerapetse
On Fri, Mar 17, 2017 at 9:44 AM, Olaf Kock <to...@olafkock.de> wrote:
>
> Am 17.03.2017 um 07:04 schrieb Kerapetse Phorano:
> > I have set up an "admin" user with a password. The manager runs properly
> on > localhost but the error comes if it is accessed from a different PC.
> The manager app is deliberately preconfigured to only be available from
> localhost. If you open webapps/manager/META-INF/context.xml, you'll find
>
> <Context antiResourceLocking="false" privileged="true" >
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
> </Context>
>
> which effectively denotes localhost in both IPV4 and IPV6 notation as
> the only allowed host accessing the application.
>
> Olaf
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat issue
Posted by Olaf Kock <to...@olafkock.de>.
Am 17.03.2017 um 07:04 schrieb Kerapetse Phorano:
> I have set up an "admin" user with a password. The manager runs properly on > localhost but the error comes if it is accessed from a different PC.
The manager app is deliberately preconfigured to only be available from
localhost. If you open webapps/manager/META-INF/context.xml, you'll find
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>
which effectively denotes localhost in both IPV4 and IPV6 notation as
the only allowed host accessing the application.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat issue
Posted by Kerapetse Phorano <ph...@gmail.com>.
I have set up an "admin" user with a password. The manager runs properly on
localhost but the error comes if it is accessed from a different PC.
Kerapetse
On Thu, Mar 16, 2017 at 6:14 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Kerapetse,
>
> On 3/16/17 9:24 AM, Kerapetse Phorano wrote:
> > Hello,
> >
> > Please assist. We have tomcat 9.0.0.M18
> > <http://tomcat.apache.org/download-90.cgi#9.0.0.M18> installed and
> > running successfully on Ubuntu Server. We are experiencing an issue
> > when we try to run tomcat manager from a different PC. We receive
> > the following error message: HTTP Status 403 – Forbidden
> > ------------------------------
> >
> > *Type* Status Report
> >
> > *Description* The server understood the request but refuses to
> > authorize it.
>
> Sounds like you haven't properly-configured authentication for the
> manager application.
>
> What have you done so far?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYyrnTAAoJEBzwKT+lPKRY2hUP/RrYWu5eW7e+N0J3I2W6t/rp
> jftgrQQMfccIYnk90MjClbFJllmXM535QNl+kgck1GGJy7vc+l/Bk0cCxTWEA3mk
> QiUPESYDEdBBdSUzr5R1kqWc9UzhjxZ/jqGuJzH7WuWw9eWgZBy6CJmr9d16/sJz
> 3nBWHOtZa2waKAfmEuwOXfznTvkFHPrgOb571NrgmiPNUmaeBW7GzFYwSnvQfexx
> UTtf+HO+pGsxTcrJ2zJ/DsfD+Ytqs/dRRMjkirrIMzxMpoSl4Nbq3SfN2myHs+Vi
> V572OvCr+5BqvFjnZYcIDzvaT8iNGEvhEf+vfWFjdXRiZijqnJe2l3AdjHbNZiOj
> RmlOe67gMWLi2WDNrAlbPslXsFAB3ntqaxah3Wm0lMdqFoLXoE1aoAPiw/v0KNZq
> RZaZDi95abHv7GSEs/tIAUUe10q7Gne0FpI2eTOCIo/woawpv5l/beqUKxU6a5Bt
> pr0rSoBmNem/mYxC/lPFfrpXF3mgLziN/ONrLFZHId46GavuxcfJDtBECa/BAXMR
> ARtdhfjFZ8XJ0HvNEcmIe59rOCiYkzt5NPAvMzdhAPkMp9hPaKlV1KrlvjIuvsfr
> Z1imtTcUvecsy/EvJxxXzlWYlKxiaCnvyHq1XYZKAOwfOMJsYEQARJrVdeQQMRWu
> +fYeR/al2b+v4cOPydXY
> =D7Id
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat issue
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Kerapetse,
On 3/16/17 9:24 AM, Kerapetse Phorano wrote:
> Hello,
>
> Please assist. We have tomcat 9.0.0.M18
> <http://tomcat.apache.org/download-90.cgi#9.0.0.M18> installed and
> running successfully on Ubuntu Server. We are experiencing an issue
> when we try to run tomcat manager from a different PC. We receive
> the following error message: HTTP Status 403 \u2013 Forbidden
> ------------------------------
>
> *Type* Status Report
>
> *Description* The server understood the request but refuses to
> authorize it.
Sounds like you haven't properly-configured authentication for the
manager application.
What have you done so far?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYyrnTAAoJEBzwKT+lPKRY2hUP/RrYWu5eW7e+N0J3I2W6t/rp
jftgrQQMfccIYnk90MjClbFJllmXM535QNl+kgck1GGJy7vc+l/Bk0cCxTWEA3mk
QiUPESYDEdBBdSUzr5R1kqWc9UzhjxZ/jqGuJzH7WuWw9eWgZBy6CJmr9d16/sJz
3nBWHOtZa2waKAfmEuwOXfznTvkFHPrgOb571NrgmiPNUmaeBW7GzFYwSnvQfexx
UTtf+HO+pGsxTcrJ2zJ/DsfD+Ytqs/dRRMjkirrIMzxMpoSl4Nbq3SfN2myHs+Vi
V572OvCr+5BqvFjnZYcIDzvaT8iNGEvhEf+vfWFjdXRiZijqnJe2l3AdjHbNZiOj
RmlOe67gMWLi2WDNrAlbPslXsFAB3ntqaxah3Wm0lMdqFoLXoE1aoAPiw/v0KNZq
RZaZDi95abHv7GSEs/tIAUUe10q7Gne0FpI2eTOCIo/woawpv5l/beqUKxU6a5Bt
pr0rSoBmNem/mYxC/lPFfrpXF3mgLziN/ONrLFZHId46GavuxcfJDtBECa/BAXMR
ARtdhfjFZ8XJ0HvNEcmIe59rOCiYkzt5NPAvMzdhAPkMp9hPaKlV1KrlvjIuvsfr
Z1imtTcUvecsy/EvJxxXzlWYlKxiaCnvyHq1XYZKAOwfOMJsYEQARJrVdeQQMRWu
+fYeR/al2b+v4cOPydXY
=D7Id
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org