Tomcat 7.0.14 installed via NetBeans 7 installation.
I'm receiving HTTP 401 errors attempting to login to the manager GUI "http://localhost:8084/manager/html." At the prompt I enter tomcat/password as my login credentials. My tomcat-users.xml file is...
I've scoured the Internet looking for solutions and the setup above appears to be correct. I've seen another post on this forum that suggests the <role> elements specified above are not needed as they are predefined roles so I've tried again with the following tomcat-users.xml file.
And also with only the manager-gui role.
None of the above formats is working for me. I continually get the login prompt after entering tomcat/password and clicking OK. When I click Cancel I see the HTTP 401 error page with suggestions to setup my tomcat-users.xml to be exactly as I've done. I've been restarting the server after each edit of the XML file. Any ideas?
I'm not quite sure what you're asking here. It sound like you have a working solution but you're hoping for a shortcut?
Roles are defined in web.xml. The tomcat-users.xml file, however, is used to assign roles to a user. One of the great flexibilities of the role-based access control architecture can be demonstrated as follows:
Mary is the "it" person the for accounting webapp. Her login is authorized for the "data-entry" and "report-printing" roles and for the "app-administrator" roles
Catherine runs reports. Her login is only authorized for "report-printing"
Claude is the data entry clerk. His login is only authorized for "data entry".
Claude is going on vacation. Someone has to take over data entry. Mary dumps the job on Catherine, has the system administrator add the "data-entry" role to Catherine's login definition. So now Catherine's tomcat-users.xml entry now has 'roles="report-printing,data-entry". When Claude returns, the system administrator removes "data-entry" from Catherine's roles.
Incidentally, one of the reasons that tomcat-users.xml isn't recommended for production environments is that the Realm that uses it (MemoryRealm) loads in the entries when Tomcat starts up and does not monitor for changes to that file. To see the roles change, Tomcat has to be restarted. When a more dynamic Realm is used, such as a JDBCRealm or LDAP Realm, the roles a user has are determined at login time, so to get the changes, Tomcat doesn't have to be restarted. All that's required is for the user to log out and then log back in again. It could get really messy trying to program for role changes that happened while logged in, so that level of flexibility isn't available.
Now you see (I hope) why the complete set of credentials for a user - including roles for that user - have to be explicitly defined in tomcat-users.xml.
I'm not quite sure what you're asking here.
I'm just trying to login to the Tomcat manager GUI and am unable to. I'm new to web service development in Java and the Tomcat application server and I'm just poking around trying to familiarize myself with it.
It sound like you have a working solution but you're hoping for a shortcut?
No, I don't have anything working at the moment. In my original message, all of those XML snippets are failed attempts at setting up tomcat-users.xml so that I can login to the manager app (http://localhost:8084/manager/html).
Roles are defined in web.xml.
Thanks, I see that the roles are defined in the following location in my installation. C:\Program Files\Apache Software Foundation\Apache Tomcat 7.0.14\webapps\manager\WEB-INF\web.xml. However, the web.xml file in the conf directory does not have defined roles. In which location should the roles be defined? The error message returned by Tomcat when I fail to login is an HTTP 401 and specifically says the following.
You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp.
For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.
<user username="tomcat" password="s3cret" roles="manager-gui"/>
It seems that the manager-gui role must be defined in the tomcat-users.xml file unless the message is incorrect. Note in my original message that I did have my tomcat-users.xml setup as follows and this does not work in my installation.
Incidentally, one of the reasons that tomcat-users.xml isn't recommended for production environments is that the Realm that uses it (MemoryRealm) loads in the entries when Tomcat starts up and does not monitor for changes to that file. To see the roles change, Tomcat has to be restarted
I have been restarting the server after each modification to tomcat-users.xml without success.
When a more dynamic Realm is used, such as a JDBCRealm or LDAP Realm, the roles a user has are determined at login time, so to get the changes, Tomcat doesn't have to be restarted.
For my web service application, this is what I will use. In Glassfish I am already setup to use JDBCRealm where it validates users against tables in an Oracle DB. At the moment; however, I'm not at the deployment phase. I simply want to see what the Tomcat manager GUI has within so that I can start playing with it in order to setup the JDBCRealm and what not.
I'm a complete newbie at this stuff so please assume that I know absolutely nothing with respect to Tomcat and using the management console. All that I want to do it get into it and do some hands on experimenting to setup my web service application. This is a sandbox server that I'm getting my feet wet in.
The TOMCAT_HOME/con/web.xml file is something that you shouldn't touch. It's the background definitions for all J2EE apps. The security roles for specific webapps such as the tomcat Manager are defined in the WEB-INF/web.xml of that app.
The tomcat-users.xml file supplied with Tomcat doesn't have any admin stuff set up, and as far as I can remember, that includes the role names, so yes, you'd have to add the ones that people will be using. And in case you were wondering, the role namespace covers all deployed webapps, so the total set of role names in tomcat-users,xml is the union of the sets of the role names of all the deployed apps with roles that you will use.
I suspect that you may need to define and assign the manager-status role as well as the manager-ui role before you can effectively use the manager app. If you can login but you get "forbidden" pages, then your role assignments aren't all set up the way you need them to be - your role set doesn't include the URL of the page you're trying to access. If you can't login at all, then the user ID and password are at fault. They're both case-sensitive, incidentally.
The tomcat-users.xml file supplied with Tomcat doesn't have any admin stuff set up, and as far as I can remember, that includes the role names, so yes, you'd have to add the ones that people will be using.
This is correct, there is nothing in the XML file by default other than comments including a template for specifying roles and users which I've followed.
I suspect that you may need to define and assign the manager-status role as well as the manager-ui role before you can effectively use the manager app.
Perhaps, but I have tried that as well with no success. One of the permutations I attempted was giving my user all available roles (even though Tomcat advises to not do so as it violates some security protocol or something) and that too failed. The XML for that attempt is...
If you can login but you get "forbidden" pages, then your role assignments aren't all set up the way you need them to be
I cannot login. I enter my username and password correctly, in the exact case (all lower) as specified in the tomcat-users.xml file and every time I click OK at the login dialog, it does not load. It only shows the login dialog again, and again, and again, ... until I get fed up and click Cancel. At this point I am shown the error page showing HTTP 401 with the text I included in my previous reply.
your role set doesn't include the URL of the page you're trying to access.
I do not understand what you mean here. Can you expand on this? At no point have I specified a URL in the role definitions or in my user/role mapping. Perhaps this is an issue? The web.xml file that does contain role names is located at this location, C:\Program Files\Apache Software Foundation\Apache Tomcat 7.0.14\webapps\manager\WEB-INF\web.xml and the URL I am attempting to access is located at http://localhost:8084/manager/html. This URL is for the Tomcat manager page from what I can tell, but it's a dark and mysterious place that I cannot access.
The entire contents of that web.xml file is...
Try removing the LockoutRealm outer Realm definition from server.xml. That will eliminate one of the ways that logins could fail. Also, make sure that the tomcat-users.xml file hasn't accidentally been given file access rights that keep it from being readable by Tomcat.
You might also find useful messages in the logs/localhost log file or logs/catalina.out file.
Try removing the LockoutRealm outer Realm definition from server.xml.
I tried the following, no luck.
Also, make sure that the tomcat-users.xml file hasn't accidentally been given file access rights that keep it from being readable by Tomcat.
Everything should be OK here. It's read-write and I've closed the file from my text editor to release any lock the editor may have placed on it that prevents it from being opened. I still see the same behavior.
You might also find useful messages in the logs/localhost log file or logs/catalina.out file.
My logs directory is empty.
I've viewed some other tutorials online and this should really be somewhat simple. Seeing that it is not, I'm going to uninstall it and reinstall it. Tomcat was bundled with NetBeans 7 installer and although I should have no reason to doubt the success of the installation, it appears that some links are broken in my Tomcat installation which raises doubt. For example, when I navigate to the Tomcat admin homepage I see the message that the installation was successful. I also see various links to how-to pages and the like. Those links are all broken. I get 404 errors. I'll go down this road a bit and see where it leads.
Good luck! I gotta earn my keep, so I probably won't be back until tomorrow morning!
Michael Staszewski wrote:Ding, ding, ding. Downloading the official Tomcat distribution and setting it up manually by editing server.xml to resolve a port conflict and setting up tomcat-users.xml works likes a champ.
Hey Michael .. I have the exact same problem and it is driving me nuts .. Can you please elaborate on you solved this ??
I have followed all the steps that Tim suggested .. No luck
Its fine. Thanks for the wonderful thread though. I got to learn a lot. I tried reinstalling tomcat. Still doesnt work .. I hope Tim can give me some suggestions