CODEWITHSUNDEEP
xmltomcatauthentication
krs
krs

Reputation: 1537

How to configure tomcat web.xml and tomcat-users.xml to secure a tomcat page

I want to secure my admin pages in tomcat with web.xml and tomcat-users.xml.It doesn't works.

Here is my contents of my tomcat-users.xml 

 <?xml version='1.0' encoding='utf-8'?>
 <tomcat-users>
 <role rolename="webadmin"/>
 <user username="kumar" password="kumar" roles="manager"/>
 </tomcat-users>

and contents of WEB-INF/web.xml 

    <resource-env-ref>
    <description>abc.com/</description>
    <resource-env-ref-name>player</resource-env-ref-name>
    <resource-env-ref-type>org.apache.catalina.UserDatabase</resource-env-ref-type>
     </resource-env-ref>


     <security-constraint>
     <display-name>player</display-name>
     <web-resource-collection>
     <web-resource-name>personal</web-resource-name>

     <!-- Define the context-relative URL(s) to be protected -->


     <url-pattern>abc.com</url-pattern>
     <!-- If you list http methods, only those methods are protected -->

     <http-method>DELETE</http-method>

     <http-method>GET</http-method>

     <http-method>POST</http-method>

     <http-method>PUT</http-method>

  </web-resource-collection>
  <auth-constraint>
     <!-- Anyone with one of the listed roles may access this area -->
     <role-name>webadmin</role-name>
  </auth-constraint>
</security-constraint>

<!-- Default login configuration uses form-based authentication -->
<login-config>
     </form-login-config>-->
  <auth-method>BASIC</auth-method>
  <realm-name>player</realm-name>
</login-config>

<!-- Security roles referenced by this web application -->
 <security-role>
<role-name>webadmin</role-name>
 </security-role>

please let me know what needs to be added in these xmls.

Upvotes: 0

Views: 10534

Answers (1)

codify_it
codify_it

Reputation: 36

As far as access to the tomcat manager GUI is considered, there is no role as "manager" to set in tomcat-users.xml.

you have to specify one of these roles.

You can find the role names in the web.xml file of the Manager web application. The available roles are: •manager-gui — Access to the HTML interface. •manager-status — Access to the "Server Status" page only. •manager-script — Access to the tools-friendly plain text interface that is described in this document, and to the "Server Status" page. •manager-jmx — Access to JMX proxy interface and to the "Server Status" page.

have a look into this link for further info, http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html

I hope it helps, thanks.

Upvotes: 1

Related Questions