tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Tomcat 7.0.33 manager - 403 Access Denied
Date Wed, 24 Apr 2013 19:40:06 GMT
2013/4/24 Shanti Suresh <shanti@umich.edu>:
> Hi Konstantin,
>
> On Tue, Apr 23, 2013 at 6:48 PM, Konstantin Kolinko
> <knst.kolinko@gmail.com>wrote:
>
>>
>> >
>> > I can't tell what I'm missing.  Also, steps #2 and #3 are not even
>> required
>> > if I am using the RemoteAddrValve, correct?
>>
>> No. They are not related to RemoteAddrValve.
>>
>
> Thanks!
>
>
>>
>>
>> I would say that you should be stopped by CsrfPreventionFilter,
>> because your heapused.jsp is not in the list of configured entry
>> points.
>>
>
> Bingo!
>
>>
>> Shanti wrote:
>> > The funny thing is that I gather the JMX metrics in an identical manner
>> on
>> > Tomcat 7.0.23 and JDK 1.6 on several  other RedHat Linux servers.
>>
>> CVE-2012-4431
>>
>
> Thanks so much!
>
> I am now able to get heapused.jsp to work.  I only had to add heapused.jsp
> into web.xml.  I did not need to add "/jmxroxy/".
>
> -----manager/WEB-INF/web.xml:-----
> <filter>
>     <filter-name>CSRF</filter-name>
>
> <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
>     <init-param>
>       <param-name>entryPoints</param-name>
>
> <param-value>/html,/html/,/html/list,/heapused.jsp,/index.jsp</param-value>
>     </init-param>
>   </filter>
> --------------------
>
> curl http://localhost:6090/manager/heapused.jsp  ==>  gives me the value.
>
> One question I have though is that I have other JSP pages for gathering
> other JMX metrics.  I would like to not have to list these individually as
> entry points.  I tried to put these JSPs into a jmx/ sub-directory under
> manager/.  I added: "<url-pattern>/jmx/*</url-pattern>" both individually
> as well as in conjunction with <init-param> in web.xml.
>
> <filter>
>     <filter-name>CSRF</filter-name>
>
> <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
>     <init-param>
>       <param-name>entryPoints</param-name>
>
> <param-value>/html,/html/,/html/list,/jmx/,/heapused.jsp,/index.jsp</param-value>
>     </init-param>
>     <url-pattern>/jmx/*</url-pattern>
>   </filter>
>
> But I got a 403 upon accessing:
>
> curl http://localhost:6090/manager/jmx/heapused.jsp
>
> The CSRF filter documentation did not mention "url-pattern":
> http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
>
> Is there a way to achieve what I'd like?
>

The source code is out there. You can subclass the filter, implement
your own, or propose a patch.

This feature was not needed, thus nobody implemented it.

Alternatively, it is possible to change filter mapping so that it is
not mapped to jsp servlet as a whole but to "/index.jsp" only (the
only publicly callable jsp page there).

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message