On 17/02/2024 21:42, Dan McLaughlin wrote:
We've had the same LDAP realm configured for probably 10 years, and the
same roles in our LDAP for probably the same. We have 4 roles configured
in LDAP manager-gui, manager-jmx, manager-script, and manager-status. My
user only has the manager-gui role. Everything has worked fine up until
about the time we moved to Tomcat 10.1. Now, I can log in just fine, but
if I try to click stop, start, reload, or undeploy, I always get a 403. I
don't see any errors in the logs telling me why. Does anyone have pointers
on debugging this? My user only has the manager-gui role; the only users
with the JMX or script roles are the users I use for Nagios monitoring of
JMX parameters.
FYI... I can't reproduce it using Tomcat 10.1 running in docker using the
same LDAP realm configuration, so that tells me it has nothing to do with
the roles not being correct...and they should be correct since they haven't
changed since I set things up probably 10 years ago. The only change has
been the upgrade of Tomcat. Could CSRF somehow be involved? It might be
about when CSRF was introduced that I started having issues. I haven't
tried removing the filter yet, only because it really doesn't seem related
based on my understanding of how the filter works.
If someone knows the specific packages, I might want to bump up the logging
on; that would probably be most helpful at this point.
Try:
org.apache.catalina.filters.CsrfPreventionFilter.level=ALL
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
