Score:0

403 Access denied for tomcat manager page

in flag

I've installed Tomcat on Centos7, on Google Cloud. Tomcat works but I can't access the Tomcat manager page.

My /opt/tomcat/conf/tomcat-users.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <!--
      Licensed to the Apache Software Foundation (ASF) under one or more
      contributor license agreements.  See the NOTICE file distributed with
      this work for additional information regarding copyright ownership.
      The ASF licenses this file to You under the Apache License, Version 2.0
      (the "License"); you may not use this file except in compliance with
      the License.  You may obtain a copy of the License at
          http://www.apache.org/licenses/LICENSE-2.0
      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
    -->
    <tomcat-users xmlns="http://tomcat.apache.org/xml"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                  xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
                  version="1.0">
    <!--
      By default, no user is included in the "manager-gui" role required
      to operate the "/manager/html" web application.  If you wish to use this app,
      you must define such a user - the username and password are arbitrary.
      Built-in Tomcat manager roles:
        - manager-gui    - allows access to the HTML GUI and the status pages
        - manager-script - allows access to the HTTP API and the status pages
        - manager-jmx    - allows access to the JMX proxy and the status pages
        - manager-status - allows access to the status pages only
      The users below are wrapped in a comment and are therefore ignored. If you
      wish to configure one or more of these users for use with the manager web
      application, do not forget to remove the <!.. ..> that surrounds them. You
      will also need to set the passwords to something appropriate.
    -->
    <!--
      <user username="admin" password="<must-be-changed>" roles="manager-gui"/>
      <user username="robot" password="<must-be-changed>" roles="manager-script"/>
    -->
    <!--
      The sample user and role entries below are intended for use with the
      examples web application. They are wrapped in a comment and thus are ignored
      when reading this file. If you wish to configure these users for use with the
      examples web application, do not forget to remove the <!.. ..> that surrounds
      them. You will also need to set the passwords to something appropriate.
    -->
    <role rolename="admin-gui"/>
    <role rolename="manager-gui"/>
    <user username="admin" password="notmyrealpassword" roles="admin-gui,manager-gui"/>
    </tomcat-users>

/opt/tomcat/webapps/manager/META-INF/context.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <!--
      Licensed to the Apache Software Foundation (ASF) under one or more
      contributor license agreements.  See the NOTICE file distributed with
      this work for additional information regarding copyright ownership.
      The ASF licenses this file to You under the Apache License, Version 2.0
      (the "License"); you may not use this file except in compliance with
      the License.  You may obtain a copy of the License at
    
          http://www.apache.org/licenses/LICENSE-2.0
    
      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
    -->
    <Context antiResourceLocking="false" privileged="true" >
      <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
                       sameSiteCookies="strict" />
    <!--
      <Valve className="org.apache.catalina.valves.RemoteAddrValve"
             allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
    -->
    <!--  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/> -->
      <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.0.*" />
    </Context>

/opt/tomcat/webapps/host-manager/META-INF/context.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <!--
      Licensed to the Apache Software Foundation (ASF) under one or more
      contributor license agreements.  See the NOTICE file distributed with
      this work for additional information regarding copyright ownership.
      The ASF licenses this file to You under the Apache License, Version 2.0
      (the "License"); you may not use this file except in compliance with
      the License.  You may obtain a copy of the License at
    
          http://www.apache.org/licenses/LICENSE-2.0
    
      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
    -->
    <Context antiResourceLocking="false" privileged="true" >
      <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
                       sameSiteCookies="strict" />
    <!--  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
             allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
    -->
    <!--  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/> -->
      <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.0.*" />
    </Context>
Score:0
ni flag

When deploying .war, often gets '403 Access Denied', the following can be for your reference!
I am using Ubuntu 22.04, Tomcat9, directories are probably different from yours, but can be of the same configuration file name!

1.set allowed IPs to access Tomcat9 manager:
sudo vim /etc/tomcat9/Catalina/localhost/manager.xml
add <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="your allowed IPs here" denyStatus="404"/>
this takes effect as soon as you save and quit without restart Tomcat9。

2.sudo vim /usr/share/tomcat9-admin/manager/META-INF/context.xml
add your allowed IPs into allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"
eg. allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|10\.10\.10\.\d+"

Hope it's helpful!

Score:0
mc flag

Try to comment penultimate line. Just put "-->" 2 lines lower.

<!-- Manager sessionAttributeValueClassNameFilter="java.lang.(?:Boolean|Integer|Long|Number|String)|org.apache.catalina.filters.CsrfPreventionFilter$LruCache(?:$1)?|java.util.(?:Linked)?HashMap"/> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.\d+.\d+.\d+|::1|0:0:0:0:0:0:0:1|192.168.0.*" />
-->

If you have configured any realms in tomcat/conf/server.xml, try without them. Good luck!

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.