配置好 Tomcat 7.0 後,在 tomcat-users.xml 中配置用戶角色來訪問 localhost:8080 的這樣三個按鈕總出現問題:
- Server Status
- Manager App
- Host Manager
要麼是三個都不能訪問,要麼是隻能訪問其中一個,或者兩個。
後來發現是角色沒有添加全,特別是針對第三個按鈕“Host Manager”
其實解決點在這樣兩個癥結上:
- 前兩個按鈕和manager相關,具體角色名爲
- manager-gui - allows access to the HTML GUI and the status pages
- manager-script - allows access to the text interface and the status pages
- manager-jmx - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only
- 第三個按鈕和admin相關,具體角色名爲
- admin-gui - allows access to the HTML GUI and the status pages
- admin-script - allows access to the text interface and the status pages
所以在 tomcat-users.xml 如果不注重安全性,只是測試用的話,對應部分可以簡單地寫成下面這個樣子:
---------------------------------
<role rolename="admin"/>
<role rolename="manager-script"/>
<role rolename="manager-gui"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="admin" password="admin" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
---------------------------------
很多網頁沒說到第三個按鈕針對的角色。不添加admin-gui和admin-script的話,第三個按鈕就會出現訪問被拒絕的問題(access denied ....)。
詳細說明可以參考 Tomcat 的文檔(http://tomcat.apache.org/migration.html#Manager_application):
| Manager application |
The Manager application has been re-structured for Tomcat 7 onwards and some URLs have changed. All URLs used to access the Manager application should now start with one of the following options:
- <ContextPath>/html for the HTML GUI
- <ContextPath>/text for the text interface
- <ContextPath>/jmxproxy for the JMX proxy
- <ContextPath>/status for the status pages
Note that the URL for the text interface has changed from "<ContextPath>" to "<ContextPath>/text".
The roles required to use the Manager application were changed from the singlemanager role to the following four roles. You will need to assign the role(s) required for the functionality you wish to access.
- manager-gui - allows access to the HTML GUI and the status pages
- manager-script - allows access to the text interface and the status pages
- manager-jmx - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only
The HTML interface is protected against CSRF but the text and JMX interfaces are not. To maintain the CSRF protection:
- users with the manager-gui role should not be granted either the manager-script ormanager-jmx roles.
- if the text or jmx interfaces are accessed through a browser (e.g. for testing since these interfaces are intended for tools not humans) then the browser must be closed afterwards to terminate the session.
The roles command has been removed from the Manager application since it did not work with the default configuration and most Realms do not support providing a list of roles.
|
| |
| Host
Manager application |
The Host Manager application has been re-structured for Tomcat 7 onwards and some URLs have changed. All URLs used to access the Host Manager application should now start with one of the following options:
- <ContextPath>/html for the HTML GUI
- <ContextPath>/text for the text interface
Note that the URL for the text interface has changed from "<ContextPath>" to "<ContextPath>/text".
The roles required to use the Host Manager application were changed from the singleadmin role to the following two roles. You will need to assign the role(s) required for the functionality you wish to access.
- admin-gui - allows access to the HTML GUI and the status pages
- admin-script - allows access to the text interface and the status pages
The HTML interface is protected against CSRF but the text interface is not. To maintain the CSRF protection:
- users with the admin-gui role should not be granted the admin-script role.
- if the text interface is accessed through a browser (e.g. for testing since this inteface is intended for tools not humans) then the browser must be closed afterwards to terminate the session.
|
