Re: Tomcat user roles

Christopher Schultz Fri, 25 Nov 2011 07:10:36 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill,


On 11/24/11 11:42 PM, Bill Wang wrote:
> Thanks, with your help, I find out this link: 
> http://onjava.com/onjava/2001/07/24/tomcat.html, seems you need me
> setup MemoryRealm,  then setup security constraint in
> webapps/manager/WEB-INF/web.xml

Wow, you didn't have any protection on your manager webapp? You should
already have had some kind of Realm configured. If you already had a
Realm configured, then you didn't need to enable MemoryRealm (which is
mostly a toy for doing simple authentication kind of like htpasswd is
for Apache httpd).

> There is an exist role "manager" , I try to understand it and add a
> new role "restart" in this web.xml, always get permission deny.

Post what you've got in your web.xml for <security-constraint> and
<user-role> and we'll take a look.

> So could you please give some instruction on how to setup below URL
> to that role "restart" only?
> 
> http://hostname:8181/manager/html/stop?path=/APPNAME 
> http://hostname:8181/manager/html/start?path=/APPNAME

You really need to read the servlet spec for an explanation of how to
set up authorization in web.xml. Briefly, you're going to want
something like this new <security-constraint> in your web.xml:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Just Restarts through the Web
UI</web-resource-name>
            <url-pattern>/html/restart</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>manager-gui</role-name>
            <role-name>manager-gui-restart</role-name>
        </auth-constraint>
    </security-constraint>

...

  <security-role>
    <description>
      People who can restart webapps.
    </description>
    <role-name>manager-gui-restart</role-name>
  </security-role>

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7Pr9EACgkQ9CaO5/Lv0PDwEACfTkyZuxmG6n4sa3EJS46VX7m0
xeMAnRpYTN+fdgttp6p4rSn6iJje9dtr
=BVtE
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat user roles

Reply via email to