I have set up tomcat 8 according to this, and I have the following tomcat-users.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="notadmin" password="not_real_pass" roles="manager-gui"/>
<user username="cargo" password="not_real_pass" roles="manager-script"/>
<tomcat-users/>
When I try to access the Manager App, I get rejected with 403 without any prompt for username and password.
What did I miss in the config?
Edit1: Added full xml file.
asked Jul 24, 2016 at 10:42
Hodossy SzabolcsHodossy Szabolcs
1,5883 gold badges18 silver badges34 bronze badges
2
This may be work.
Find the CATALINA_HOME/webapps/manager/META-INF/context.xml file and add the comment markers around the Valve.
<Context antiResourceLocking="false" privileged="true" >
<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.d+.d+.d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>
You can find more details at this page.
answered Sep 13, 2016 at 4:52
fadefade
1,7512 gold badges7 silver badges8 bronze badges
3
The solution that worked for me is edit context.xml files in both $CATALINA_HOME/webapps/manager/META-INF and $CATALINA_HOME/webapps/host-manager/META-INF where my ip is 123.123.123.123.
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.d+.d+.d+|::1|0:0:0:0:0:0:0:1|123.123.123.123" />
</Context>
I installed Tomcat 8.5 on Ubuntu and edited $CATALINA_HOME/conf/tomcat-users.xml:
<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="myuser" password="mypass" roles="admin-gui,manager-gui"/>
However, I still couldn’t access both Tomcat Web Application Manager (localhost:8080/manager/html) and Tomcat Virtual Host Manager (localhost:8080/host-manager/html) until I edited context.xml files.
answered Dec 22, 2016 at 15:05
kimbaudikimbaudi
13.2k9 gold badges61 silver badges73 bronze badges
2
Useful link here: Access Tomcat Manager App from different host
From Tomcat version 8 onward’s, manager/html url won’t be accessible to anyone except localhost.
In order to access /manager/html url, you need to do below change in context.xml of manager app.
1. Go to /apache-tomcat-8.5.23/webapps/manager/META-INF location, then edit context.xml
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="^.*$" />
......
</Context>
- Restart the server.
answered Oct 9, 2017 at 9:29
VishVish
3463 silver badges11 bronze badges
1
Correct answer can be found here
Looks like this issue can be reproduced while folowing mentioned tutorial on unix machines. Also noticed that author uses TC 8.0.33
Win (and OSX) do not have such issue, at least on my env:
Server version: Apache Tomcat/8.5.4
Server built: Jul 6 2016 08:43:30 UTC
Server number: 8.5.4.0
OS Name: Windows 8.1
OS Version: 6.3
Architecture: amd64
Java Home: C:TOOLSjdk1.8.0_101jre
JVM Version: 1.8.0_101-b13
JVM Vendor: Oracle Corporation
CATALINA_BASE: C:TOOLStomcatapache-tomcat-8.5.4
CATALINA_HOME: C:TOOLStomcatapache-tomcat-8.5.4
After tomcat-users.xml is modified by adding role and user Tomcat Web Application Manager can be accessed on Tomcat/8.5.4.
answered Sep 3, 2016 at 13:39
GerardasGerardas
3385 silver badges9 bronze badges
I have to modify the following files
$CATALINA_BASE/conf/Catalina/localhost/manager.xml and add following line
<Context privileged="true" antiResourceLocking="false"
docBase="${catalina.home}/webapps/manager">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$" />
</Context>
This will allow tomcat to be accessed from any machine, if you want to grant access to specific IP then use the below value instead of allow="^.*$"
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.11.234" />
answered Dec 20, 2017 at 11:31
user2720864user2720864
7,9775 gold badges47 silver badges60 bronze badges
fade’s answer worked for me. I moved from 8.0.30 to 8.5.5 and the difference was the valve in <8.0.30>/manager/META-INF/context.xml was already commented out from the tar file but was uncommented in 8.5.5 tar.
I failed to read this important message in the 403 response:
By default the Manager is only accessible from a browser running on
the same machine as Tomcat. If you wish to modify this restriction,
you’ll need to edit the Manager’s context.xml file.
And failed to read this too:
Since r1734267 a RemoteAddrValve.is configured by default in Manager
and HostManager web applications. This feature is present in 9.0.0.M4
and 8.5.0 onwards.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59672
answered Oct 11, 2016 at 19:39
JimJim
4634 silver badges7 bronze badges
-
Go and Check if a user is created or not
if no please create a user by opening a file in /apache-tomcat-9.0.20/tomcat-users.xml
add a line into it<user username="tomcat" password="tomcat" roles="admin-gui,manager-gui,manager-script" /> -
Goto /apache-tomcat-9.0.20/webapps/manager/META-INF/
open context.xml
comment everything in context tag
example:
<Context antiResourceLocking="false" privileged="true" >
<!--Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.d+.d+.d+|::1|0:0:0:0:0:0:0:1" /-->
</Context>
answered May 28, 2019 at 9:37
copy the below content to file tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary. It is
strongly recommended that you do NOT use one of the users in the commented out
section below since they are intended for use with the examples web
application.
-->
<!--
NOTE: The sample user and role entries below are intended for use with the
examples web application. They are wrapped in a comment and thus are ignored
when reading this file. If you wish to configure these users for use with the
examples web application, do not forget to remove the <!.. ..> that surrounds
them. You will also need to set the passwords to something appropriate.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
-->
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="notadmin" password="not_real_pass" roles="manager-gui"/>
<user username="cargo" password="not_real_pass" roles="manager-script"/>
</tomcat-users>
I have tested, it just works!
answered Jul 24, 2016 at 12:11
5
If non of above works for you, make sure tomcat has access to manager folder under webapps (chown …). The message is the exact same message, and It took me 2 hours to figure out the problem. 
just for someone else who came here for the same issue as me.
answered Sep 27, 2016 at 7:14
alizelzelealizelzele
8722 gold badges19 silver badges34 bronze badges
<role rolename="tomcat"/>
<role rolename="manager-gui"/>
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<user username="admin" password="admin" roles="tomcat,manager-gui,admin-gui,manager-script,manager-jmx"/>
Close all the session, once closed, ensure open the URL in incognito mode login again and it should start working
answered Apr 5, 2020 at 6:16
I foolishly uncommented the default config, which has passwords like «». Tomcat fails to parse this file (becayse of the «<«), and then whatever other config you add won’t work-
answered Oct 30, 2016 at 23:17
chrismarxchrismarx
11.3k9 gold badges83 silver badges95 bronze badges
1
In my case it was the security constraints defined in web.xml. Make sure they have the same roles you use in your tomcat-users.xml file.
For example, this is one of the out-of-the-box tags and will work with the standard tomcat-users.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>HTML Manager interface (for humans)</web-resource-name>
<url-pattern>/html/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager-gui</role-name>
</auth-constraint>
</security-constraint>
In my case an admin had used a different role-name which prevented me from accessing the manager.
answered Oct 4, 2018 at 6:53
MustafaMustafa
5,4343 gold badges24 silver badges40 bronze badges
I follwed the same tutorial but after some months I strangely got the error «403 Access Denied» while tryed to use Manager App. In this case I was using the ipaddress:8080 in the address bar and Tomcat Manager App didin’t prompting for user/password. In case of localhost:8080 the error was «401», the dialogbox asking for username and password was displayed but the user not recognized.
I tried all the previous suggestions / solutions without lucky. The only way I found is been to repeat again the entire tutorial overwriting also the files. When finished, I found again the old deployed project into the webapps directory. Now Apache Tomcat/8.5.16 Manager App are working again. I do not know what happened I didn’t understand also because I’m a newbie in Tomcat user
answered Sep 11, 2017 at 18:17
Luigi D’AlessioLuigi D’Alessio
4431 gold badge4 silver badges6 bronze badges
I had to add both manager-gui and manager-script roles for it to work, in version 9.
After getting the access to MangerApp, while trying to upload .war file, I got the exception
org.apache.tomcat.util.http.fileupload.FileUploadBase$IOFileUploadException
which I was able to solve using the answer of this post
To get access for Host Manager, check this post
answered Oct 12, 2017 at 7:18
ssssss
5586 silver badges24 bronze badges
The correct answer is as @JaKu pointed out. Tomcat is confining the access to localhost to make it secure. This is as it should be. Port forwarding to tomcat is the correct thing to do, preferably under something secure like SSH.
answered Jul 11, 2018 at 20:24
I know this question is for Tomcat 8 Manger. But I had an issue with Tomcat 10 the solution that worked for me is to uncomment the username admin and robot in the {tomcat-install-dir}/conf/tomcat-users.xml
<user username="admin" password="password" roles="manager-gui"/>
<user username="robot" password="admin" roles="manager-script"/>
Keep other lines commented
answered May 8 at 11:41
AdelinAdelin
17.8k25 gold badges113 silver badges170 bronze badges
I was having same problem while installing tomcat in docker.
I have solved by adding «^.*$» instead of «127.d+.d+.d+|::1|0:0:0:0:0:0:0:1|123.123.123.123»
Restart the tomcat.
answered Dec 11, 2017 at 10:53
1
В данном посте режим проблемы доступа в разделы менеджера и вообще, любого проекта, который мы ходим настроить на УДАЛЕННОМ СЕРВЕРЕ.
Почему именно на удаленном сервере? Потому что, работа Tomcat на локальном сервере и удаленном работает по дефолту по разному. На локальном не возникают проблемы с правами и безопасностью, а на удаленном можно встретиться со всем этим сюрпризом и можно на этом убить немало времени.
Нам нужно, сначала дать полные права под папку проектов на удаленном сервере
далее, создать пользователя в файле конфигурации Tomcat — conf/tomcat-users.xml в каждом разделе в папке META-INF отредактировать файл context.xml.
Проблема входа в разделы менеджера приложений Tomcat 8/9 связана с блокировкой текущего URL, по которому мы пытаемся открыть сайт. Данная проблема решается , в дополнении с прописью ролей в tomcat-users.xml
<role rolename="manager-gui"/> <role rolename="manager-script"/> <role rolename="manager-jmx"/> <role rolename="manager-status"/> <role rolename="admin-gui"/> <role rolename="admin-script"/> <user username="username" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
Еще и редактированием, точнее, закоментированием тега Valve в файле context.xml в папке META-INF открываемого проекта
<?xml version="1.0" encoding="UTF-8"?>
...
<Context antiResourceLocking="false" privileged="true" >
...
<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.d+.d+.d+|::1|0:0:0:0:0:0:0:1" />
-->
...
</Context>
Файл context.xml может находится в любом проекте и отвечает за доступ к проекту из удаленного URL.
HTTP Status 403 (Access to the requested resource has been denied) can indicate that either you typed 3+ incorrect credentials (try another web-browser) or you’ve some problem with configuration.
If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation (locate tomcat-users.xml). That file must contain the credentials to let you use Tomcat webapp.
For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above:
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
Then you can access your webapps manager from /manager/html (e.g. reloading after config changes).
Read more: Manager App HOW-TO
If you’re trying to implement your own security constraint (in web.xml), try the following example (before </web-app> ending):
<!-- This security constraint protects your webapp interface. -->
<login-config>
<!-- Define the Login Configuration -->
<auth-method>BASIC</auth-method>
<realm-name>Webapp</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<!-- Specifying a Secure Connection -->
<user-data-constraint>
<!-- transport-guarantee can be CONFIDENTIAL (forced SSL), INTEGRAL, or NONE -->
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Authorization, see: tomcat-users.xml -->
<security-role>
<role-name>*</role-name>
</security-role>
If you still having the problem, try:
- check if you’re editing the right XML file,
- validate your XML files, e.g.
catalina.sh configtestorxmlstarlet val /etc/tomcat?/*.xml /var/lib/tomcat7/webapps/*/WEB-INF/*.xml, - your
<url-pattern>matches in your<security-constraint>or set to/*, - check your Tomcat logs (e.g.
/var/log/tomcat7), - increase logging level (
INFO->FINE/FINEST) inlogging.propertiesorlog4j.properties(INFO, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL), restart Tomat and check the logs, - if nothing in logs, check if you’re checking the right logs (
sudo lsof | grep -E "java.*(out|txt|log)$",tail -f /var/log/tomcat7/*.log /var/log/tomcat7/*.txt /var/log/tomcat7/*.out), - when using
log4jlogging system, make sure you initialized it properly by placing libs andlog4j.propertiesinto the right folder and configuring it, -
test BASIC authentication with cURL:
-
without credentials:
$ curl -vv http://example.com:8983/solr/Normally request should return HTTP/1.1 401 Unauthorized and the «WWW-Authenticate» header should indicate Basic authentication is required.
-
with credentials:
$ curl -vv -u tomcat:tomcat http://example.com:8983/solr/The request should be sent with an «Authorization» header and it should authenticate. If your credentials are invalid, you should get: HTTP/1.1 401 Unauthorized. If the user is authenticated, but does not have access to view the resource you should get: HTTP/1.1 403 Forbidden.
-
-
maybe a user lock out mechanism has been activated for too many failed authentication attempts (LockOutRealm),
-
stop and run Tomcat manually (in the same way as in:
ps wuax | grep ^tomcat), e.g.:# ps wuax | grep ^tomcat tomcat7 884 /usr/lib/jvm/java-7-openjdk-amd64/bin/java -Djava.util.logging.config.file=/var/lib/tomcat7/conf/logging.properties ... org.apache.catalina.startup.Bootstrap start $ /etc/init.d/tomcat7 stop $ sudo sudo -u tomcat7 /usr/lib/jvm/java-7-openjdk-amd64/bin/java ... -Dorg.apache.catalina.level=FINEST org.apache.catalina.startup.Bootstrap startAlternatively start using
catalina.shscript like:$ . /etc/default/tomcat7 $ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64 CATALINA_HOME=/usr/share/tomcat7 CATALINA_BASE=/var/lib/tomcat7 CATALINA_PID=/var/run/tomcat7.pid CATALINA_TMPDIR=/tmp LOGGING_CONFIG="-Dorg.apache.catalina.level=FINEST" $ /usr/share/tomcat7/bin/catalina.sh runOr in debug mode:
$ JPDA_SUSPEND=y catalina.sh jpda startand check your
catalina.outlog. -
last resort is to debug process by:
sudo strace -fp PID.
I am trying deploy my project to tomcat7 using the Eclipse IDE, and I facing this error:
Uploading: http://localhost:8080/manager/html/deploy?path=%2Fexample
Uploaded: http://localhost:8080/manager/html/deploy?path=%2Fexample (13855 KB at 61573.5 KB/sec)
[ERROR] Tomcat return http status error: 403, Reason Phrase: Forbidden
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 6.259s
[INFO] Finished at: Sun Apr 20 09:44:18 GMT-03:00 2014
[INFO] Final Memory: 13M/223M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.tomcat.maven:tomcat7-maven-plugin:2.2:deploy (default-cli) on project example: Tomcat return http status error: 403, Reason Phrase: Forbidden: <html><head><title>Apache Tomcat/7.0.50 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 403 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>Access to the specified resource has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.50</h3></body></html> -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
My pom.xml have this configuration:
<build>
<plugins>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
<configuration>
<url>http://localhost:8080/manager/html</url>
<server>TomcatServer</server>
<path>/example</path>
<username>klebermo</username>
<password>[password]</password>
</configuration>
</plugin>
</plugins>
</build>
My tomcat-users.xml is that:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager"/>
<role rolename="admin"/>
<user username="klebermo" password="[password]" roles="admin,manager"/>
</tomcat-users>
Anyone can point me what I doing wrong?
Error: Tomcat Manager App—403 Access Denied You are not authorized to view this page
Solution:
1. Close Tomcat (the shutdown batch file under the bin file in the installation directory)
2. Find the tomcat-users.xml file in the conf folder under the installation directory
3. Add the following configuration information in the <tomcat-users></tomcat-user> tag of the xml file
<role rolename=»manager»/>
<role rolename=»manager-gui»/>
<role rolename=»admin»/>
<role rolename=»admin-gui»/>
<role rolename=»manager-script»/>
<role rolename=»manager-jmx»/>
<role rolename=»manager-status»/>
<user username=»admin» password=»123456″ roles=»admin-gui,admin,manager-gui,manager,manager-script,manager-jmx,manager-status»/>
The username and password attributes can be modified by themselves
4. After the modification is completed, save the modification and restart tomcat.
Original: https://blog.csdn.net/zhiyuan_ma/article/details/54708667