刚装了最新的Tomcat 7.0.25的时候遇到一个问题,很多人对tomcat自带的web管理工具不是很熟悉,因为一直都是手动修改配置文件。这次有点好奇想看看tomcat的web管理界面,因为之前一直用weblogic都是用web界面管理的。带着无限的好奇,我开始了对tomcat7的探索之旅。
先说明一下,本人是从官网上下载的tomcat 7.0.25的安装版,操作系统Windows 7,JDK 1.7.0,在安装的时候,中间有一步,提示输入用户名和密码的,但是是可选的,我就没有填,省略了;要选择FULL模式(即完全安装)安装;安装完成之后,兴致勃勃的打开了 ,看到期望出现的菜单“Tomcat Manager”和“Host Manager”,点击其中一个,弹出对话框,提示输入用户名和密码,这才想起刚才安装的时候省略的那一步,记得conf文件夹下面有个tomcat-users.xml的文件,应该就是保存这些用户的地方,打开一看里面是空的,从网上搜索了一堆,无论怎么弄,都进不去,提示403错误(挺奇怪的,本来看到的都提示404错误,大伙记得区分,这伙可学习了),这可怎么办呢。卸载!重装!这次我把用户名和密码都设置了,tomcat-users.xml里面多了一个用户的标签,但是输入用户名和密码还是提示403错误。
配置好 Tomcat 7.0 后,在 tomcat-users.xml 中配置用户角色来访问 localhost:8080 的这样三个按钮总出现问题:
- Server Status
- Manager App
- Host Manager
要么是三个都不能访问,要么是只能访问其中一个,或者两个。
后来发现是角色没有添加全,特别是针对第三个按钮“Host Manager”
其实解决点在这样两个症结上:
- 前两个按钮和manager相关,具体角色名为
- manager-gui - allows access to the HTML GUI and the status pages
- manager-script - allows access to the text interface and the status pages
- manager-jmx - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only
- 第三个按钮和admin相关,具体角色名为
- admin-gui - allows access to the HTML GUI and the status pages
- admin-script - allows access to the text interface and the status pages
所以在 tomcat-users.xml 如果不注重安全性,只是测试用的话,对应部分可以简单地写成下面这个样子:
tomcat-users.xml
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
这样设置好了以后重新启动,输入用户名和密码,OK了!这个“tomcat”用户拥有所有的权限,因为所有的角色都让他继承了,也可以设置不同的用户让其继承有限的角色,这样可以做到权限管理。
!!!但值得大伙注意的是,提示403错误下面有这么一行:Users with the admin-gui role should not be granted the admin-script role.
不可不小视,这伙咱可不知道会出什么错误,反正我是连着都给添上了两角色,等出错再说了,暂时还不知道咋回事!
这个也适用于apache-tomcat-6.0.32 , 6 版本的也适合,5版本的现在不怎么建议使用,大伙用最新的吧,接口啊什么的好跟上!
很多网页没说到第三个按钮针对的角色。不添加admin-gui和admin-script的话,第三个按钮就会出现访问被拒绝的问题(access denied ....)。
|
The Manager application has been re-structured for Tomcat 7 onwards and some URLs have changed. All URLs used to access the Manager application should now start with one of the following options:
- /html for the HTML GUI
- /text for the text interface
- /jmxproxy for the JMX proxy
- /status for the status pages
Note that the URL for the text interface has changed from "" to "/text".
The roles required to use the Manager application were changed from the singlemanager role to the following four roles. You will need to assign the role(s) required for the functionality you wish to access.
- manager-gui - allows access to the HTML GUI and the status pages
- manager-script - allows access to the text interface and the status pages
- manager-jmx - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only
The HTML interface is protected against CSRF but the text and JMX interfaces are not. To maintain the CSRF protection:
- users with the manager-gui role should not be granted either the manager-script or manager-jmxroles.
- if the text or jmx interfaces are accessed through a browser (e.g. for testing since these interfaces are intended for tools not humans) then the browser must be closed afterwards to terminate the session.
The roles command has been removed from the Manager application since it did not work with the default configuration and most Realms do not support providing a list of roles. |
|
|
The Host Manager application has been re-structured for Tomcat 7 onwards and some URLs have changed. All URLs used to access the Host Manager application should now start with one of the following options:
- /html for the HTML GUI
- /text for the text interface
Note that the URL for the text interface has changed from "" to "/text".
The roles required to use the Host Manager application were changed from the singleadmin role to the following two roles. You will need to assign the role(s) required for the functionality you wish to access.
- admin-gui - allows access to the HTML GUI and the status pages
- admin-script - allows access to the text interface and the status pages
The HTML interface is protected against CSRF but the text interface is not. To maintain the CSRF protection:
- users with the admin-gui role should not be granted the admin-script role.
- if the text interface is accessed through a browser (e.g. for testing since this inteface is intended for tools not humans) then the browser must be closed afterwards to terminate the session.
|
