Reputation: 805
Tomcat Web Application Manager - is it possible to limit what each user role can see?
I couldn't find anything regarding this on the Internet, so hopefully an expert here could help answer my question.
I have set up the Tomcat Web Application Manager on my test server, created some roles/users in tomcat-users.xml as follows:
<role rolename="manager"/>
<user username="admin" password="admin" roles="manager"/>
<user username="user1" password="password" roles="manager"/>
admin is supposed to have full rights on the WebApp Manager, while user1 (and perhaps subsequent users) is for users who have been granted permission to upload/deploy their WAR files.
Right now they have the same roles, so obviously they see the same UI upon logging in, but I want user1 to see only the deploy/upload option - essentially limited access to the WebApp Manager.
Is it possible to achieve something like this? If yes, how? If no, what would be an acceptable compromise?
Upvotes: 0
Views: 1641
Answers (1)
Reputation: 20862
You didn't look very hard if you couldn't find this. It's under the "Manager" section of the Tomcat Users' Guide:
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Configuring_Manager_Application_Access
With the standard user-acces roles, you cannot do what you are trying to do. Fortunately, there's nothing stopping you from inventing some.
Let's say you want to set up different roles for deploy and undeploy. Just add them to tomcat-users.xml like this:
<role rolename="deploy"/>
<role rolename="undeploy"/>
Now, modify the manager webapp's web.xml and add some auth-constraints that will allow these new roles to access certain specific functions:
<security-constraint>
<web-resource-collection>
<web-resource-name>Manual Deployment</web-resource-name>
<url-pattern>/html/deploy</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager-gui</role-name>
<role-name>deploy</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Manual Deployment</web-resource-name>
<url-pattern>/html/undeploy</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager-gui</role-name>
<role-name>undeploy</role-name>
</auth-constraint>
</security-constraint>
Note that you will also have to modify the existing <web-resource-collection> for /html/* so that users with any appropriate role (for instance, those with only the 'deploy' role) can access the GUI itself in order to get to those functions configured above.
Upvotes: 1
Related Questions
- Tomcat security constraint for valid user
- how to add multiple roles to an admin user in Apache tomcat 8?
- Sharing user role between tomcat and web-app
- Restrict file access in Tomcat
- Secure Tomcat Webapps folder from direct user access
- How to deploy a java application as root in tomcat without allow access to other webapps
- web.xml security constraint combination of roles
- How to apply a tomcat security role for all URLs but one?
- Prevent access to certain webapps in Tomcat6
- How to define Tomcat security Realms per webapp