• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tomcat 7 manager

 
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a need for users inside my network to access the Tomcat manager page. I don't have any users set up with privileges, because I'm concerned that I was able to reach the login page from outside the network (from the Internet). Without any users explicitly defined, I understand the default is that there are NO users defined... implying that even if you reached the admin page, it would not be possible to log in (e.g. via brute force, etc...). However, I still no not want this page to be displayed AT ALL for any users outside the network.

Every example that I have found seems to use something called a RemoteAddrValve that allows 127.0.0.1. Does anyone know how I can lock this down, so that ONLY users inside the network could get to the Tomcat manager login page?
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The ultimate line of defense is the user login itself. The Tomcat manager and admin webapps both use the J2EE container-managed security system, which unlike the tissue-paper security that's the overwhelming norm for do-it-yourself login systems, was designed by security specialists and has never, to my knowledge, been defeated in Tomcat or any other webapp server. As long as best practices for formulation of login IDs and passwords is adhered to, it's as close to impervious as any software system can be.

If you want to limit access to the manager apps themselves to specific source IP ranges (your intranet, for example), you can add a Valve to their Context definitions or to the Host definition (although if you do it there, ALL webapps for that host will be restricted.

There are other safeguards you can take. Commonly outside access to Tomcat webapps is mediated by some sort of reverse proxy such as Apache HTTP, Nginx, IIS, or the like. It allows having mixed-language webapps on a common server and keeps Tomcat from having to run as a privileged user in order to listen on ports 80 and 443. In that case you can simply define your proxy to not route any external requests addressed to the Manager and Admin webapps and Tomcat will never have to deal with them.

Of, of course, you can simply delete these webapps from your Tomcat server altogether. They're just webapps, and although they do provide a convenient web-based management console, Tomcat can run just fine without them.
 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
tomcat7\conf\context.xm

add this line under <context></context> tag

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
        allow="127.0.0.0" />

*Note -- you can  add your remotly accessed IP instead of 127.0.0.0
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Please note that the above solution doesn't just limit access to the Tomcat Manager webapp, it restricts access to all webapps.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic