0

I want to secure my admin pages in tomcat with web.xml and tomcat-users.xml.It doesn't works.

Here is my contents of my tomcat-users.xml 

 <?xml version='1.0' encoding='utf-8'?>
 <tomcat-users>
 <role rolename="webadmin"/>
 <user username="kumar" password="kumar" roles="manager"/>
 </tomcat-users>

and contents of WEB-INF/web.xml 

    <resource-env-ref>
    <description>abc.com/</description>
    <resource-env-ref-name>player</resource-env-ref-name>
    <resource-env-ref-type>org.apache.catalina.UserDatabase</resource-env-ref-type>
     </resource-env-ref>


     <security-constraint>
     <display-name>player</display-name>
     <web-resource-collection>
     <web-resource-name>personal</web-resource-name>

     <!-- Define the context-relative URL(s) to be protected -->


     <url-pattern>abc.com</url-pattern>
     <!-- If you list http methods, only those methods are protected -->

     <http-method>DELETE</http-method>

     <http-method>GET</http-method>

     <http-method>POST</http-method>

     <http-method>PUT</http-method>

  </web-resource-collection>
  <auth-constraint>
     <!-- Anyone with one of the listed roles may access this area -->
     <role-name>webadmin</role-name>
  </auth-constraint>
</security-constraint>

<!-- Default login configuration uses form-based authentication -->
<login-config>
     </form-login-config>-->
  <auth-method>BASIC</auth-method>
  <realm-name>player</realm-name>
</login-config>

<!-- Security roles referenced by this web application -->
 <security-role>
<role-name>webadmin</role-name>
 </security-role>

please let me know what needs to be added in these xmls.

Improve this question
9
  • is password prompted? Commented Sep 11, 2013 at 13:28
  • no i didn't see any login page at all Commented Sep 11, 2013 at 13:34
  • I doubt its because of your url pattern. Every thing else looks fine to me. I believe you have restarted the server as well. Commented Sep 11, 2013 at 13:35
  • what should be given in the url pattern. please let me know Commented Sep 11, 2013 at 13:37
  • try giving '/'. Just to narrow down the problem. Commented Sep 11, 2013 at 13:41

1 Answer 1

Reset to default
1

As far as access to the tomcat manager GUI is considered, there is no role as "manager" to set in tomcat-users.xml.

you have to specify one of these roles.

You can find the role names in the web.xml file of the Manager web application. The available roles are: •manager-gui — Access to the HTML interface. •manager-status — Access to the "Server Status" page only. •manager-script — Access to the tools-friendly plain text interface that is described in this document, and to the "Server Status" page. •manager-jmx — Access to JMX proxy interface and to the "Server Status" page.

have a look into this link for further info, http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html

I hope it helps, thanks.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Please let me know, do you want me to replace manager with •manager-status or •manager-gui or •manager-script or •manager-jmx
yes, please change the role as manager to as "manager-gui" in order to access the tomcat manager web app UI. in tomcat-users.xml, it would be something like this.. <user username="username" password="yourPassword" roles="manager-gui"/> then restart the tomcat, access the web-app and enter the username and yourPassword and you will be able to access manager web app UI. I hope it helps thanks.
I have installed Two Apache tomcat. It is working for tomcat webpage which i running in 8080, but it is not working for webpage which i running in 80. In 80,i have uploaded videos, which i really want to protect it. Thanks in advance
Hi, there are two ways you can have multiple tomcat on a single machine. Depending upon the type of approach you took, you need to set things in order to have the required effect. If you have created an instance and have set the CATALINA_BASE directory then you must have copied the "conf" folder as well which includes your tomcat-users.xml too, in this case your username/password will work on this instance as well. IF you have installed another tomcat server separately then you need to again make an entry in the tomcat/conf/tomcat-users.xml as you did previously. I hope it helps.thanks.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.