tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <dmik...@pivotal.io>
Subject Re: Manager app + RemoteAddrValve + 403 Access Denied
Date Tue, 02 Sep 2014 11:50:00 GMT
On Mon, Sep 1, 2014 at 12:36 PM, Shanti Suresh <shanti@umich.edu> wrote:

> Hi Dan,
>
>
>
> On Fri, Aug 29, 2014 at 12:34 PM, Daniel Mikusa <dmikusa@pivotal.io>
> wrote:
>
> >
> > Can you access the JMXProxy servlet directly?
> >
> >
> >
> >
> http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Using_the_JMX_Proxy_Servlet
> >
> >
> Thanks for the note and the references.  On accessing the JMXProxy servlet
> directly, I get a "403 Access Denied" as well.
>
>
> > Have you configured access to the manager app?
> >
> >
> >
> >
> http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Configuring_Manager_Application_Access
> >
> >
> I would like localhost to access the JMXProxy servlet without a password.
>  And hence, I used the RemoteAddrValve in the manager-context within
> "manager.xml" to configure access. This setup used to work in 7.0.23 with
> just an IP address restriction and no password.


So using a RemoteAddrValve will allow you to restrict access by IP address,
but the manager application is still configured to require authentication.
 See this note from the link I sent previously.

"It would be quite unsafe to ship Tomcat with default settings that allowed
anyone on the Internet to execute the Manager application on your server.
Therefore, the Manager application is shipped with the requirement that
anyone who attempts to use it must authenticate themselves, using a
username and password that have one of manager-** roles associated with
them (the role name depends on what functionality is required). Further,
there is no username in the default users file
($CATALINA_BASE/conf/tomcat-users.xml) that is assigned to those roles.
Therefore, access to the Manager application is completely disabled by
default. "

Did you do something in your previous setup to disable authentication?


 I have a perl script that
> periodically invokes JSPs within the manager application; these JSPs then
> invoke the JMXProxy servlet.  So I thought I could get the same thing to
> happen in 7.0.52.
>

How are the JSP's invoking the JMXProxyServlet?  Are they sending an HTTP
request?

Dan



>
> I know I am missing something.
>
> Thanks,
>
>                     -Shanti
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message