You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2011/12/25 14:24:42 UTC
svn commit: r1224607 - /tomcat/trunk/webapps/docs/manager-howto.xml
Author: kkolinko
Date: Sun Dec 25 13:24:41 2011
New Revision: 1224607
URL: http://svn.apache.org/viewvc?rev=1224607&view=rev
Log:
Improve manager-howto.xml:
Document the list of roles that allow access to Manager webapp.
The manager-script role is just one of them.
Modified:
tomcat/trunk/webapps/docs/manager-howto.xml
Modified: tomcat/trunk/webapps/docs/manager-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/manager-howto.xml?rev=1224607&r1=1224606&r2=1224607&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/manager-howto.xml (original)
+++ tomcat/trunk/webapps/docs/manager-howto.xml Sun Dec 25 13:24:41 2011
@@ -111,22 +111,62 @@ With Ant</a> for more information.</li>
anyone on the Internet to execute the Manager application on your server.
Therefore, the Manager application is shipped with the requirement that anyone
who attempts to use it must authenticate themselves, using a username and
-password that have the role <strong>manager-script</strong> associated with
-them. Further, there is no username in the default users file
-(<code>$CATALINA_BASE/conf/tomcat-users.xml</code>) that is assigned this
-role. Therefore, access to the Manager application is completely disabled
+password that have one of <strong>manager-**</strong> roles associated with
+them (the role name depends on what functionality is required).
+Further, there is no username in the default users file
+(<code>$CATALINA_BASE/conf/tomcat-users.xml</code>) that is assigned to those
+roles. Therefore, access to the Manager application is completely disabled
by default.</p>
+<p>You can find the role names in the <code>web.xml</code> file of the Manager
+web application. The available roles are:</p>
+
+<ul>
+ <li><strong>manager-gui</strong> — Access to the HTML interface.</li>
+ <li><strong>manager-status</strong> — Access to the "Server Status"
+ page in the HTML interface only.</li>
+ <li><strong>manager-script</strong> — Access to the tools-friendly
+ plain text interface, that is described in this document.</li>
+ <li><strong>manager-jmx</strong> — Access to JMX proxy interface.</li>
+</ul>
+
+<p>The HTML interface is protected against CSRF (Cross-Site Request Forgery)
+attacks, but the text and JMX interfaces cannot be protected. To maintain
+the CSRF protection:</p>
+
+<ul>
+ <li>Users with the <strong>manager-gui</strong> role should not be granted
+ the <strong>manager-script</strong> or <strong>manager-jmx</strong>
+ roles.</li>
+ <li>If you use web browser to access the Manager application using
+ a user that has either <strong>manager-script</strong> or
+ <strong>manager-jmx</strong> roles (for example for testing
+ the plain text or JMX interfaces),
+ then all windows of the browser MUST be closed afterwards to terminate
+ the session.</li>
+</ul>
+
+<p>Note that JMX proxy interface is effectively low-level root-like
+administrative interface of Tomcat. One can do a lot, if he knows
+what commands to call. You should be cautious when enabling the
+<strong>manager-jmx</strong> role.</p>
+
<p>To enable access to the Manager web application, you must either create
-a new username/password combination and associate the role name
-<strong>manager-script</strong> with it, or add the
-<strong>manager-script</strong> role
-to some existing username/password combination. Exactly where this is done
-depends on which <code>Realm</code> implementation you are using:</p>
+a new username/password combination and associate one of the
+<strong>manager-**</strong> roles with it, or add a
+<strong>manager-**</strong> role
+to some existing username/password combination.
+As the majority of this document describes the commands of plain textual
+interface, let the role name for further example to be
+<strong>manager-script</strong>.
+Exactly how the usernames/passwords are configured depends on which
+<code>Realm</code> implementation you are using:</p>
<ul>
-<li><em>MemoryRealm</em> - If you have not customized your
- <code>$CATALINA_BASE/conf/server.xml</code> to select a different one,
- Tomcat defaults to an XML-format file stored at
+<li><em>MemoryRealm</em> — This one is configured in the default
+ <code>$CATALINA_BASE/conf/server.xml</code>.
+ If you have not configured it differently, or replaced it with
+ a different <code>Realm</code> implementation, this realm
+ reads an XML-format file stored at
<code>$CATALINA_BASE/conf/tomcat-users.xml</code>, which can be
edited with any text editor. This file contains an XML
<code><user></code> for each individual user, which might
@@ -139,12 +179,12 @@ depends on which <code>Realm</code> impl
add the <strong>manager-script</strong> role to the comma-delimited
<code>roles</code> attribute for one or more existing users, and/or
create new users with that assigned role.</li>
-<li><em>JDBCRealm</em> - Your user and role information is stored in
+<li><em>JDBCRealm</em> — Your user and role information is stored in
a database accessed via JDBC. Add the <strong>manager-script</strong> role
to one or more existing users, and/or create one or more new users
with this role assigned, following the standard procedures for your
environment.</li>
-<li><em>JNDIRealm</em> - Your user and role information is stored in
+<li><em>JNDIRealm</em> — Your user and role information is stored in
a directory server accessed via LDAP. Add the
<strong>manager-script</strong> role to one or more existing users,
and/or create one or more new users with this role assigned, following
@@ -158,8 +198,8 @@ as long as they identify a valid user in
the role <strong>manager-script</strong>.</p>
<p>In addition to the password restrictions the Manager web application
-could be restricted by the remote IP address or host by adding a
-<code>RemoteAddrValve</code> or <code>RemoteHostValve</code>.
+could be restricted by the <strong>remote IP address</strong> or host by adding
+a <code>RemoteAddrValve</code> or <code>RemoteHostValve</code>.
See <a href="config/valve.html#Remote_Address_Filter">valves documentation</a>
for details. Here is
an example of restricting access to the localhost by IP address:</p>
@@ -170,17 +210,6 @@ an example of restricting access to the
</Context>
</pre>
-<p>The HTML interface is protected against CSRF but the text and JMX interfaces
-are not. To maintain the CSRF protection:</p>
-
-<ul>
- <li>users with the <code>manager-gui</code> role should not be granted either the
- <code>manager-script</code> or <code>manager-jmx</code> roles.</li>
- <li>if the text or jmx interfaces are accessed through a browser (e.g. for
- testing since these interfaces are intended for tools not humans) then the
- browser must be closed afterwards to terminate the session.</li>
-</ul>
-
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org