tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shanti Suresh <>
Subject Re: Manager app + RemoteAddrValve + 403 Access Denied
Date Tue, 02 Sep 2014 14:53:44 GMT
Hi Dan,

On Tue, Sep 2, 2014 at 7:50 AM, Daniel Mikusa <> wrote:

> So using a RemoteAddrValve will allow you to restrict access by IP address,
> but the manager application is still configured to require authentication.
>  See this note from the link I sent previously.
> "It would be quite unsafe to ship Tomcat with default settings that allowed
> anyone on the Internet to execute the Manager application on your server.
> Therefore, the Manager application is shipped with the requirement that
> anyone who attempts to use it must authenticate themselves, using a
> username and password that have one of manager-** roles associated with
> them (the role name depends on what functionality is required). Further,
> there is no username in the default users file
> ($CATALINA_BASE/conf/tomcat-users.xml) that is assigned to those roles.
> Therefore, access to the Manager application is completely disabled by
> default. "
> Did you do something in your previous setup to disable authentication?
That's what I am looking hard and I can't seem to find anything different I
did, in manager's web.xml in 7.0.23.  There is nothing in manager's
META-INF/context.xml either.

> How are the JSP's invoking the JMXProxyServlet?  Are they sending an HTTP
> request?
The JSPs simply forward the request to the jmxproxy servlet as follows, in
the heapused.jsp:

----------start of heapused.jsp:---------
<jsp:forward page="/jmxproxy/">
<jsp:param name="get" value="java.lang:type=Memory" />
<jsp:param name="att" value="HeapMemoryUsage" />
<jsp:param name="key" value="used" />
--------------end of heapused.jsp--------



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message