I have recently assumed duties over a site using Tomcat 8 and I am having a hard time getting a view of my manager app and site on the development server. I have set up PuTTy for ssh onto the server and I have configured port forwarding so that the base manager menu for Tomcat shows on localhost:8080 on my machine, indicating that the ssh/port forwarding appears to be working. I get the 403 error when I try to access any other element of the manager gui. I have reviewed multiple versions of this question from the past and I still think my issue is unique to them.
(links here to those answers:
403 Access Denied on Tomcat 8 Manager App without prompting for user/password
Can't access Tomcat 8 Manager App
Tomcat 8.5 - 403 Access Denied)
When looking at the previous questions they reference changing a context.xml file to comment out a valve tag inside the context tag, but my context.xml file doesn't contain this valve tag:
<?xml version="1.0" encoding="UTF-8"?>
<Context path="" reloadable="false">
<ResourceLink global="jdbc/MyDS" name="jdbc/MyDS" type="javax.sql.DataSource" />
<ResourceLink global="jdbc/MyDS" name="jdbc/EPATestDS" type="javax.sql.DataSource" />
<Parameter name="fileStore" value="/data/xxxx" override="false"/>
<Parameter name="logStore" value="/data/xxx" override="false"/>
<Parameter name="formSite" value="x" override="false"/>
<Parameter name="answerKeyStore" value="/data/xxxxx/EPA/key" override="false"/>
<Parameter name="debugMode" value="true" override="false"/>
<Parameter name="hostname" value="https://pre-xxxxxx.com" override="false"/>
<Parameter name="ssoHostname" value="https://pre-xxx.com" override="false"/>
<Parameter name="ssoRealm" value="xxx" override="false"/>
<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
<!--
These 2 parameters are expected to exist but are set for all applications on the tomcat server
<Parameter name="mailServer" value="xxxxxxx" override="false"/>
<Parameter name="xxxx" value="xxx" override="false"/>
-->
(all xxx's above are to remove identifying information)
and it seems illogical to add a line to be commented. However this context file isn't located where it seems to be indicated for most other questions I've seen on this topic. My file is located at /CATALINA_HOME/webapps/ROOT##104/META-INF/context.xml whereas the solutions say to change it in /CATALINA_HOME/webapps/manager/META-INF/context.xml. When I ls --file-type on webapps it gives the manager filetype as a symbolic link to /usr/local/tomcat/webapps/manager which does not exist inside my /usr directory.
I believe the issue may be due to the way the site was configured/setup using docker, but I can't figure out the solution. The only places where /usr/local/tomcat/webapps/manager/META-INF/context.xml are located are inside of ./var/lib/docker/ directories, and there are several warnings related to not changing these files as they are managed by docker. I am unsure of where to go at this point, but I do have Dockerfiles located I just don't know which/what is needed for context here. I am unsure if I need to build new images, etc. But I can say that restarting tomcat by issuing a docker exec to the container and restarting the container itself didn't cause any changes.
edit based on comment - You have the same var/lib/docker path problems if you search for manager.xml as suggested below
You can see a similar issue when looking to make changes to tomcat-users.xml. This file only appears in directories under ./var/lib/docker/ or one other location, ./home/<username>/repo/tomcat/mec/files/tomcat-users.xml. The file at this location does have a properly configured manager-gui role, but I am unsure if this is being communicated to the proper location.
Not being a seasoned veteran with docker I have limited scope on what the consequences would be of trying to make changes to images and build new containers, etc.
Overall I am just trying to get a view of my Java EE site currently on that development server and I may even be approaching this in the wrong manner. Any and all direction would be greatly appreciated; I am unfortunately taking this up after about 2 years of predecessor leaving and not maintaining.
Related
could anyone please tell me if it is possible to define a role for tomcat user of the default app manager in a way, that he would be able to deploy only specific application? The situation is that developers can deploy only via console since the server itself is administered by third party. And dealing with it costs money (literally). The security requirement is that they should be able to deploy and undeploy just the application they are working on. The notion of multiple tomcat instances was refused. Is there any third party application which could do that? Any ideas are welcome.
Tomcat's built in Manager application does not support this. Assuming you trust your staff, I'd suggest a different approach. Use social controls rather than technical controls.
If anyone does something they shouldn't the access logs will tell you who did it and then you can take appropriate action.
Try this:
First of all, Create a new users xml database file inside [tomcat_home]/conf, lets call it tomcat-users-2.xml.
Add the following entry into the tomcat-users-2.xml file:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<user username="[$yourUsername]" password="[$yourPassword]" roles="tomcat,manager-gui"/>
</tomcat-users>
Notice that you can add more than one user tags in the <tomcat-users>
Then in your [tomcat_home]/conf/server.xml file, find <GlobalNamingResources> tag and add (inside it):
<Resource name="UserDatabase2" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users-2.xml" />
Place the following code inside the <Host ...></Host> tags of the app you want to restrict the user to:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase2"/>
Finally you must Restart Tomcat for the changes to take effect.
For more information, check out this link
I'm trying to integrate CAS server with IdentityServer3 (CAS acting as a Open ID Client).
Following the guides, I updated the cas.properties and changed the following:
```
cas.pac4j.oidc.id=clientid
cas.pac4j.oidc.secret=secret
cas.pac4j.oidc.discoveryUri=https://IdentityServer3/.well-known/openid-configuration
```
I also update the pom.xml file and added pac4j-oidc dependency (not sure if it was needed but it was missing initially)
Now when I access the CAS login page I can see the Oidc long link but the URL is invalid:
https://localhost:8433/cas/login?client_name=OidcClient&needs_client_redirection=true
I was expecting to automatically discover the IdentityServer URL from the discovery document. Is there anything else I need to do?
I also tried adding the following bean to the pac4jContext.xml file:
```
<bean id="oidc1" class="org.pac4j.oidc.client.OidcClient">
<property name="id" value="clientid" />
<property name="secret" value="secret" />
<property name="discoveryUri" value="https://IdentityServer3/.well-known/openid-configuration" />
</bean>
```
When I do this the CAS server is not working anymore (I get a 404 when trying to access it via Tomcat)
Java is not my first language so I'm not sure if I'm missing something obvious but I would really appreciate some help with this.
I have a GWT RPC application deployed to Tomcat 8, and I want the server code to load some configuration data (hostname and port to another service). Otherwise the service works fine. I have read multiple suggestions but I cant get it to work.
A snippet from my Tomcat context.xml (I'm aware that context.xml requires me to restart tomcat when changed - that is OK).
<Context reloadable="true">
<Parameter name="config_hostname" value="192.168.2.199" override="false"/>
<Parameter name="config_port" value="8888" override="false"/>
In my service implementation I have a setup() method. In that I try to access the config by:
String hostname = getServletConfig().getInitParameter("config_hostname");
String port = getServletConfig().getInitParameter("config_port");
however that doesnt work. Can anyone put me on the right track?
----------------------- update -------------------
I have tried putting the info in web.xml like this
<web-app>
<context-param>
<param-name>hostname</param-name>
<param-value>192.168.2.199</param-value>
</context-param>
</web-app>
and using it like this (both works!) :
String h1=getServletConfig().getServletContext().getInitParameter("hostname");
String h2=getServletContext().getInitParameter("hostname");
however I don't want to put it in web.xml since I want to have a different setting for each deployment. Tomcat have conf/server.xml och conf/context.xml and I have tried those but I get NULL in the above calls then.
Which is the best way of storing server-side configurations? Please be detailed in your answer.
I have read doumentation at http://tomcat.apache.org/tomcat-8.0-doc/jndi-resources-howto.html but I obviously don't understand it.
I found the answer here in the tomcat docs at /docs/config/context.html
The syntax in context.xml should be (I was correct from the beginnig here):
<Context>
<Parameter name="hostname" value="<some-ip-address>" override="false"/>
</Context>
and the call to read it should be:
getServletConfig().getServletContext().getInitParameter("hostname");
OR
getServletContext().getInitParameter("hostname");
I'm sure I have a lot more to learn (for example to have separat params for separate web applications in Tomcat, but this is good for now).
I would like to disable page "People" in Hudson. I don't want users to see other users. Is it possible to do?
I don't know if you can do it directly with Hudson, but you certainly be able to do it if you run Hudson within a Tomcat instance (I run mine in a Tomcat 7 without any problem).
You would define a JSP security-constraint, a bit like those ones (note: adapted for LDAP because I defer all user authentication to the webapp container of Hudson: in my case, Tomcat)
The OP asks:
You're suggesting to make changes to hudson/WEB-INF/web.xml? Could you please explicitly mention the file I have to change?
#Vincenzo: I don't! I never touch one bit of the hudson.jar. I only use it within a Tomcat instance, meaning:
I declare in <tomcat>/conf/Catalina/localhost a context for each Hudson I want to manage:
hudson-xxx -> /home/me/context/hudson-xxx.xml
(it is a link because I want to upgrade Tomcat easily, so I externalize the context definition outside of Tomcat). I define my Realm for ACL purposes:
<?xml version='1.0' encoding='utf-8'?>
<Context docBase="/home/me/hudson/hudson.war" path="/hudson-xxx">
<Realm className="org.apache.catalina.real.CombinedRealm" >
<Realm className="org.apache.catalina.real.JNDIRealm" debug="99"
connectionURL="ldap://xxxxx:389"
alternateURL="ldap://xxxxx:389"
connexionName="yyyy"
connectionPassword="zzzz"
userPattern="CN={0},OU=...,DC=..."
userRoleName="memberOf"
useSubtree="false"
roleBase="OU=...,DC=..."
roleName="cn"
roleSearch="(member={0})"
roleSubtree="false"
/>
</Realm>
<Environment name="HUDSON_XXX" value="/home/me/hudson/hudson-xxx-home" type="java.lang.String" override="false" />
</Context>
(With that context, a hudson.war stored outside of Tomcat is automatically deployed with the </tomcat>/webapps directory, and access from http://tomcat-server/hudson-xxx, with an LDAP-based authentication)
I suggests modifying the </tomcat>/conf/web.xml to add security-constraint which would prevent anybody to access the user page while letting only certain tomcat users (as defined in /conf/tomcat-users.xml.
(I haven't tested it yet)
I am trying to set a system property in tomcat config file so it can be read by System.getProperty() code. This is probably a simple task but I am not able to figure this out. Here is want I tried with no success.
Modified context.xml in tomcat settings.
<Context>
....
<Parameter name="run.mode" value="test"/>
<Environment name="run.mode" value="test" type="java.lang.String"/>
</Context>
I don't want to modify container settings, just the server settings.
PS. I am fairly new to to the container and JVM webapp world. Still making sence of things. Right now I am working with Lift.
Use the JAVA_OPTS environment variable when launching Tomcat, like this:
JAVA_OPTS='-Drun.mode=test' start.sh