Thanks for looking at this,
answers / comments in relevant areas below
On Thu, Jan 31, 2013 at 3:41 PM, Konstantin Kolinko
<knst.koli...@gmail.com>wrote:
> 2013/2/1 L Alex Pranger <apran...@biostargroup.com>:
> > I know that this question has been asked numerous times before, and I
> have
> > checked the FAQs and setup documentation. I have made sure that the
> common
> > mistakes such as leaving the users inside comments, failing to stop and
> > restart tomcat, and configuring the realms are not the cause of my issue.
> > I have even tried multiple browsers (Chrome/FF).
> >
> > When I click the link for the TomCat Manager App, I get the username and
> > password request. When I enter the values that are in my
> tomcat-users.xml
> > file (included below), it does not accept those values. To me it seemed
> > most likely that the Realms were not set up right, so I've included the
> > relevant parts of the server.xml file as well.
> >
> > At first I thought that it was because the
> > org.apache.catalina.realm.MemoryRealm was not defined, so I added that
> > right after the UserDatabaseRealm with no change in behavior.
> > <Realm className="org.apache.catalina.realm.MemoryRealm"
> > resourceName="UserDatabase"/>
> > I then thought that maybe it was because those Realms were apparently
> > inside the LockOutRealm, but when I moved the </Realm> tag to before the
> > UserDatabaseRealm and MemoryRealm statements, then the web server just
> hung
> > and did not respond to requests. Again, tomcat was stopped and restarted
> > (using the shutdown.sh and startup.sh scripts in /bin) each time I mode a
> > change to these files.
> >
> > I'm sure it's probably a typo or similar on my part, and perhaps another
> > set of eyes that know what they are doing can point out my mistake.
> Thank
> > you. Relevant details are below ...
> >
> > ./version.sh
> > Using CATALINA_BASE: /srv/tomcat7
> > Using CATALINA_HOME: /srv/tomcat7
> > Using CATALINA_TMPDIR: /srv/tomcat7/temp
> > Using JRE_HOME: /usr/lib64/jvm/jre
> > Using CLASSPATH:
> > /srv/tomcat7/bin/bootstrap.jar:/srv/tomcat7/bin/tomcat-juli.jar
> > Server version: Apache Tomcat/7.0.33
> > Server built: Nov 18 2012 04:15:21
> > Server number: 7.0.33.0
> > OS Name: Linux
> > OS Version: 2.6.27.56-0.1-default
> > Architecture: amd64
> > JVM Version: 1.6.0_0-b16
> > JVM Vendor: Sun Microsystems Inc.
> >
> >
> > ./startup.sh
> > Using CATALINA_BASE: /srv/tomcat7
> > Using CATALINA_HOME: /srv/tomcat7
> > Using CATALINA_TMPDIR: /srv/tomcat7/temp
> > Using JRE_HOME: /usr/lib64/jvm/jre
> > Using CLASSPATH:
> > /srv/tomcat7/bin/bootstrap.jar:/srv/tomcat7/bin/tomcat-juli.jar
> >
> > tomcat-users.xml
>
> 1. No xml header here? It should not be necessary, but beware of
> implications.
>
There is a header, it was just above all the comments I didn't include.
<?xml version='1.0' encoding='utf-8'?>
> > <tomcat-users>
> > <role rolename="admin"/>
> > <role rolename="manager"/>
> > <role rolename="manager-gui"/>
> > <role rolename="manager-status"/>
> > <role rolename="manager-script"/>
> > <role rolename="manager-jmx"/>
> > <role rolename="tomcat"/>
>
> 2. The above <role/> elements are unnecessary, unless when you want to
> define a role that contains no users. When <user/> element is parsed,
> necessary roles are created automatically. (That is, to simplify this
> tomcat-users.xml file so that make sure that there are no problems
> with it).
>
I thought the FAQs told me that I had to define at least the manger-gui
role.
I left them in because all the examples and documents indicated they should
be there. Once I'm running, I'll try to remove unneeded ones.
> 3. Is the file readable by the user that Tomcat runs under? (Obviously
> it should not be readable by anyone else for security reasons).
>
Once running, I plan to switch to a "tomcat" user. While I'm trying to get
this to run, tomcat is running as root.
> > <user username="tomcat" password="tomcat" roles="tomcat"/>
>
> <user username="admin" password="secret" roles="manager-gui"/>
> > <user username="tcadmin" password="secret"
> > roles="manager-script,manager-status,manager-jmx"/>
> > </tomcat-users>
> >
> > server.xml
> > …
> > <Resource name="UserDatabase" auth="Container"
> > type="org.apache.catalina.UserDatabase"
> > description="User database that can be updated and saved"
> >
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> > pathname="conf/tomcat-users.xml" />
> > </GlobalNamingResources>
> > …
> > <Engine name="Catalina" defaultHost="localhost">
> > <Realm className="org.apache.catalina.realm.LockOutRealm">
> > <!-- This Realm uses the UserDatabase configured in the global
> JNDI
> > resources under the key "UserDatabase". Any edits
> > that are performed against this UserDatabase are immediately
> > available for use by the Realm. -->
> > <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> > resourceName="UserDatabase"/>
> > </Realm>
> > …
> > </Engine>
> >
> > Thank you so much for looking at this.
> >
> > Ultimately I'm trying to get Agilefant running under the Tomcat
> > application, and just placing the war file into the webapps directory (as
> > was suggested for a manual install) did not seem to work, So I'm trying
> to
> > get to the manager so that I can install the war file.
> >
>
> 4. Is your copy of manager webapp the standard one? (Configured to use
> BASIC authentication).
>
The manager is the one build directly from the 7.0.33 tar.gz file
I'm not sure about configured for BASIC authentication, how would If that
isn't part of the server.xml file, how would I check that?
> 5. Are you being asked for a password, or just being denied access?
>
It asks for a username and password in a popup, much the same way .htaccess
works.
An incorrect (or at least not passing) username/password combo takes me
back to the popup. I only get the denied/reject screen when I "cancel" the
password.
If the latter than you may be facing a RemoteAddrValve denying access.
> (And if you do not have one configured, you would better configure one).
>
There is no RemoteAddrValve in the current server.xml file.
So, if I understand correctly, I would want to add a Valve value, inside my
<Host> container?
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="10.2.0.0|10.2.255.255" deny="" />
would allow all my 10.2.*.* addresses to access the system?
In the Host tag, for the name (currently localhost) do I need to configure
alternate access methods (i.e. 10.2.1.1 or myserver.mycompany.com)?
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
6. Beware that LockoutRealm will block you after several (5) failures.
>
I don't make that many attempts (usually just 2x) before making some change
and stopping and restarting tomcat.
7. What is being written into your access log file?
> Are you accessing this copy of Tomcat?
>
Tomcat itself is running when I go to port 8080 on my server with a web
browser.
I'm accessing tomcat through a web browser on a machine other than the
server.
localhost_access_log.2013-01-31.txt
....
10.2.5.203 - - [31/Jan/2013:16:02:42 -0500] "GET / HTTP/1.1" 200 11243
10.2.5.203 - - [31/Jan/2013:16:06:37 -0500] "GET /manager/html HTTP/1.1"
401 2486
10.2.5.203 - - [31/Jan/2013:16:06:47 -0500] "GET /manager/html HTTP/1.1"
401 2486
The whole log file is a little long for inclusion on the mail list;
however, I did find a few interesting issues after the startup command.
catalina.2013-01-31.log
...
Jan 31, 2013 4:16:46 PM org.apache.catalina.realm.CombinedRealm
startInternal
SEVERE: Failed to start "org.apache.catalina.realm.MemoryRealm/1.0" realm
org.apache.catalina.LifecycleException: Failed to start component
[Realm[MemoryRealm]]
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
at
org.apache.catalina.realm.CombinedRealm.startInternal(CombinedRealm.java:201)
at
org.apache.catalina.realm.LockOutRealm.startInternal(LockOutRealm.java:120)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1109)
at
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:302)
at
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:302)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:732)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.startup.Catalina.start(Catalina.java:684)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:451)
Caused by: org.apache.catalina.LifecycleException: Exception while reading
memory database file
at
org.apache.catalina.realm.MemoryRealm.startInternal(MemoryRealm.java:312)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 17 more
Caused by: org.xml.sax.SAXParseException: The content of elements must
consist of well-formed character data or markup.
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1234)
at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:525)
at
org.apache.tomcat.util.digester.Digester.parse(Digester.java:1521)
at
org.apache.catalina.realm.MemoryRealm.startInternal(MemoryRealm.java:309)
... 18 more
Jan 31, 2013 4:16:46 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /srv/tomcat7/webapps/ROOT
Jan 31, 2013 4:16:47 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /srv/tomcat7/webapps/docs
Jan 31, 2013 4:16:47 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /srv/tomcat7/webapps/manager
Jan 31, 2013 4:16:47 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /srv/tomcat7/webapps/host-manager
Jan 31, 2013 4:16:47 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /srv/tomcat7/webapps/examples
Jan 31, 2013 4:16:48 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Jan 31, 2013 4:16:48 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-8009"]
Jan 31, 2013 4:16:48 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1941 ms
[EOF]
The catalina log does not seem to have changed when I made an attempt to
log in, immediately after stopping and restarting tomcat, beyond that of
the startup itself.
For a single login attempt - nothing was noted in the log.
Maybe there is something in other log files?
>
>
> Best regards,
> Konstantin Kolinko
>
Thank you so much for your help on this.
