On Tue, Sep 2, 2014 at 10:53 AM, Shanti Suresh <sha...@umich.edu> wrote:
> Hi Dan, > > > On Tue, Sep 2, 2014 at 7:50 AM, Daniel Mikusa <dmik...@pivotal.io> wrote: > > > > > > > > > So using a RemoteAddrValve will allow you to restrict access by IP > address, > > but the manager application is still configured to require > authentication. > > See this note from the link I sent previously. > > > > "It would be quite unsafe to ship Tomcat with default settings that > allowed > > anyone on the Internet to execute the Manager application on your server. > > Therefore, the Manager application is shipped with the requirement that > > anyone who attempts to use it must authenticate themselves, using a > > username and password that have one of manager-** roles associated with > > them (the role name depends on what functionality is required). Further, > > there is no username in the default users file > > ($CATALINA_BASE/conf/tomcat-users.xml) that is assigned to those roles. > > Therefore, access to the Manager application is completely disabled by > > default. " > > > > Did you do something in your previous setup to disable authentication? > > > > > That's what I am looking hard and I can't seem to find anything different I > did, in manager's web.xml in 7.0.23. There is nothing in manager's > META-INF/context.xml either. > > > > > > > How are the JSP's invoking the JMXProxyServlet? Are they sending an HTTP > > request? > > > > > The JSPs simply forward the request to the jmxproxy servlet as follows, in > the heapused.jsp: > > ----------start of heapused.jsp:--------- > <jsp:forward page="/jmxproxy/"> > <jsp:param name="get" value="java.lang:type=Memory" /> > <jsp:param name="att" value="HeapMemoryUsage" /> > <jsp:param name="key" value="used" /> > </jsp:forward> > --------------end of heapused.jsp-------- > I tried adding this to my manager app and it was triggering a 403. A quick investigation showed the 403 was coming from the CRF filter (i.e. 403 with direct access, success with nonce in the URL). Maybe you're seeing the same thing? Dan