401 Unauthorized error while logging in Manager-App of Tomcat

Question

I am trying to log in to the Manager App in Tomcat 7.0.22 for Mac OS X 10.7. Here is the error I am getting: http://f.cl.ly/items/421q1K3f1i0X1H1M181v/so.tiff

401 Unauthorized

You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp.

For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.

<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>

I have added this in my tomcat-users.xml, still its not taking the same username/password.

<tomcat-users>
<role rolename="manager-gui"/>
<user name="tomcat" password="s3cret" roles="standard,manager-gui"/>
</tomcat-users>

Answer 1

I'm running Ubuntu 24.04 with Tomcat9. After trying out everything else listed here, I ended up editing /etc/tomcat9/server.xml and changing the pathName of tomcat-users.xml (in < GlobalNamingResources> from conf/tomcat-users.xml first by omiting the conf, but what really worked was replacing it by full path

pathName=/etc/tomcat9/tomcat-users.xml

and then restarting tomcat9 by running

systemctl restart tomcat9

Answer 2

If you are using Microsoft EDGE, perhaps It's not you - it's EDGE!

Deleting EDGE and switching over to old fellow Chrome did the trick for me).

However, If you still want to stick with EDGE check the link/Screenshot below and see if the basic authentication is allowed:

https://answers.microsoft.com/en-us/microsoftedge/forum/all/latest-version-of-edge-no-longer-shows-basic/3601252b-e56b-46c0-a088-0f6084eabe47

Answer 3

Be carefully with syntax tomcat-users.xml file, double check for errors. I faced with this problem due to "/" (extra character) beforе beginning my script.

Answer 4

Another thing to notice on Mac if you install Tomcat via homebrew is that the tomcat-users.xml file exists in 2 different location.

/usr/local/opt/tomcat@9/libexec/conf/tomcat-users.xml
/usr/local/Cellar/tomcat@9/9.0.65/.bottle/etc/tomcat@9

You need to add the role/user in the tomcat-users.xml within /usr/local/opt directory.

Answer 5

So if nothing else works for you check that here

I had messed in my server.xml with the following line

 <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="jdbc/myapp"/>

That here should always be resourceName="UserDatabase"

  <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>

I mistakenly thought it had to do with my applilcation database and have configured it. This here is the tomcat user database not the database that you have to your application.

Answer 6

The below should work for a "vanilla" installation (or zip/tar archive) - replace your tomcat-users.xml with (similar to) this:

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>  
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <role rolename="manager-status"/>
  <role rolename="admin-gui"/>
  <role rolename="admin-script"/>
  <user username="abc" password="xyz" roles="manager-gui, manager-script, manager-jmx, manager-status, admin-gui, admin-script"/>
</tomcat-users>

I ran into similar issue and still not able to login using Google Chrome (Version 73.0.3683.103) as on date 05/14/2019 10:30am CST despite reinstalling/configuring Google Chrome multiple times.

I would suggest, try using different browser such as Firefox/IE etc if you are running into this issue even after fiddling a lot with xmls.

Answer 7

If you are at Tomcat 8, you maybe missing the following. After updating the Realms and tomcat-users.xml, you also need to edit the apps' context.xml.

By default, newer versions of Tomcat restrict access to the Manager and Host Manager apps to connections coming from the server itself. Since we are installing on a remote machine, you will probably want to remove or alter this restriction. To change the IP address restrictions on these, open the appropriate context.xml files.

For Manager app:

/webapps/manager/META-INF/context.xml

For Host-Manager app:

/opt/tomcat/webapps/host-manager/META-INF/context.xml

Comment out the following section for Valve as follows-

<Context antiResourceLocking="false" privileged="true" >
    <!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
            allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->
</Context>

You should be allset after this.

Answer 8

I had same error then I changed password in users.xml. It solved. If you use some special chars like & or @. It doesn't work. Remove it.

Answer 9

Just to add some information on @David's answer:

If you are like me and SFTP to the host with any user under a group other than tomcat (for e.g. root) and edit tomcat_users.xml with some generic editor like gedit or VS Code, the group of the file will be changed to the user you used (probably because a new file was created). Like below:

drwxr-x--- 2 root tomcat   4096 Jun 21 11:41 ./
drwxr-xr-x 9 root tomcat   4096 May 24 14:12 ../
-rw-r----- 1 root tomcat  13531 Apr 28 03:34 catalina.policy
-rw-r----- 1 root tomcat   7202 Apr 28 03:34 catalina.properties
-rw-r----- 1 root tomcat   1400 Apr 28 03:34 context.xml
-rw-r----- 1 root tomcat   1149 Apr 28 03:34 jaspic-providers.xml
-rw-r----- 1 root tomcat   2313 Apr 28 03:34 jaspic-providers.xsd
-rw-r----- 1 root tomcat   3850 Apr 28 03:34 logging.properties
-rw-r----- 1 root tomcat   7511 Apr 28 03:34 server.xml
-rw-r----- 1 root root     2342 Jun 21 11:41 tomcat-users.xml
-rw-r----- 1 root tomcat   2633 Apr 28 03:34 tomcat-users.xsd
-rw-r----- 1 root tomcat 170202 Apr 28 03:34 web.xml

Maybe my initial setup of tomcat was a bit casual... But with the above behavior, tomcat will loose access to the edited file. The result would be 401 Unauthorized.

There are a number of options to get around the problem. I'm not sure if any of them is the best practice though.

• Changing permission after the edit (yes sure...).
• nano and WinSCP do not seem to suffer from the issue.
• SETGID: chmod g+s /conf_folder (not tested).
• Follow this answer
• Maybe an editor that is permission-aware?

Answer 10

Check your browser.

I was running tomcat locally on Windows, and trying to log in using Chrome. None of the suggestions above seemed to work. Finally on a whim, I tried Firefox and got the login prompt! I restarted Chrome and tried it again, and still nothing. It appears our network policy screws with Chrome - probably blocking the popup login dialog.

Answer 11

In my case, I had multiple <Engine><Host>...</Host></Engine> sections in my context.xml and I had to copy and paste the <Realm className="org.apache.catalina.realm.LockOutRealm">...</Realm> into each <Engine>...</Engine> section because I had the manager app deployed in each one of these hosts that were part of a separate Engine.

The answer from @swapnil chaudhari about the IP address restriction in the app's META-INF/context.xml is also helpful, however I found it more beneficial to override the Context in my server's server.xml.

In the end, I have something like this for each one of my Engines:

    <Engine name="CatalinaMyUniqueEngine"
            defaultHost="MyUniqueHost">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>
      <Host name="MyUniqueHost"
            appBase="/opt/tomcat/webapps/MyUniqueHost"
            unpackWARs="true" autoDeploy="true">
        <Context path="/manager" privileged="true" antiResourceLocking="false"
                 docBase="manager">
          <!-- Wider allowance than the default.
               Or you can remove to allow all IPs, which probably isn't
               a good idea. -->
          <Valve className="org.apache.catalina.valves.RemoteAddrValve"
                 allow="127\.0\.0\.1|10\.244\.\d+.\d+" />
      </Host>
    </Engine>

docBase is relative to appBase. In /opt/tomcat/webapps/MyUniqueHost, I have a symbolic link to the manager application installed by my system's package manager (Debian-based), which placed it at /usr/share/tomcat8-admin/manager. These symbolic links allow me to use the manager app in all my Hosts without copying the manager application.

Answer 12

Changing the port from 8080 to 8088 in server.xml worked for me.Refer the code below

<Connector port="8088" protocol="HTTP/1.1" 
connectionTimeout="20000"
redirectPort="8443" />

Answer 13

Check the exact lines in server.xml

  <Realm className="org.apache.catalina.realm.LockOutRealm">
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
  </Realm>

Navdeep

Answer 14

I was using a particular complex password with lots of odd characters. Just return that back to regular password and worked fine.

Answer 15

In windows I had a CATALINA_HOME environment variable defined for another tomcat installation so that was stating even though I was using the startup script in the new installation folder. So just deleting CATALINA_HOME solved the problem for me.

Answer 16

Shutdown tomcat

paste below comments complete content into tomcat-users.xml and save

start tomcat

Now Build it should work, i did for windows OS with Jenkins and git deployment via tomcat7

<?xml version="1.0" encoding="UTF-8"?>
-<tomcat-users> <role rolename="manager-gui"/> <role rolename="manager-script"/> <role rolename="manager-jmx"/> <role rolename="manager-status"/> <role rolename="admin-gui"/> <role rolename="admin-script"/> <user roles="manager-gui, manager-script, manager-jmx, manager-status, admin-gui, admin-script" password="admin" username="admin"/> </tomcat-users>

Answer 17

I tried to add username as tomcat in tomcat-users.xml which was already a role and it was not working. Then I given username as admin for and It worked fine..:)

Answer 18

Also make sure that you have set TOMCAT_HOME as well as JAVA_HOME environment variables correctly.

Answer 19

I also encountered this problem. The content of my tomcat-users.xml was correct, but the file was not readable by Tomcat. I changed the file's group to tomcat7, restarted Tomcat, and voilà!

Here's the content of my tomcat-users.xml:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <user username="admin" password="admin" roles="manager-gui, admin-gui" />
</tomcat-users>

Answer 20

Its unlikely that anybody made the same mistake I did, but incase you have a couple versions of tomcat (or have fudged the installation and have files you need to cleanup) make sure you are in the correct folder.

I was looking at the config file in C:\tomcat7\ but the actual Tomcat that was running was in C:\Program Files\Apache Software Foundation\Tomcat 7.0\

Answer 21

To add some clarity, here are the roles you need to add to your conf/tomcat-users.xml as of Tomcat 7.x. If you want to keep the comments you can, but this is all you need (to log in with admin/admin) in the file:

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>  
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <role rolename="manager-status"/>
  <role rolename="admin-gui"/>
  <role rolename="admin-script"/>
  <user username="admin" password="admin" roles="manager-gui, manager-script, manager-jmx, manager-status, admin-gui, admin-script"/>
</tomcat-users>

Answer 22

OK, I had this error too. Couldn't find the bug, couldn't find the bug, couldn't find the bug. My "tomcat-users" block looked just like this.

<tomcat-users>
<role rolename="manager-gui"/>
<user name="tomcat" password="s3cret" roles="standard,manager-gui"/>
</tomcat-users>

FINALLY FOUND THE BUG. I kept editing the XML inside the XML comment block:

<!--
<tomcat-users>
<role rolename="manager-gui"/>
<user name="tomcat" password="s3cret" roles="standard,manager-gui"/>
</tomcat-users>
-->

DOH!

So: don't forget to remove the "<!--" and "-->".

Answer 23

I was getting the exact the same error and it only started working after I changed the connector port from 8080 to 8081.

Answer 24

Sorry, I have to ask the obvious: Did you restart Tomcat?

If that doesn't work, try adding "admin-gui" to your roles:

<user name="tomcat" password="s3cret" roles="admin-gui,standard,manager-gui"/>