The username you provided is not allowed to use the text-based Tomcat Manager (error 403) when deploying on remote Tomcat8 using Jenkins

Question

I am trying to deploy a WAR on the remote Tomcat (Remote Machine) using Jenkins deploy to container Plugin. I have done the following configuration in tomcat-users.xml

<user username="deployer" password="deployer" roles="manager-gui,manager-script,admin" />

I have setup the proper username password and port in Jenkins deployer container plugin. The setup is working fine for the local Tomcat. But for remote Tomcat I keep getting the following error:

Caused by: org.codehaus.cargo.container.tomcat.internal.TomcatManagerException: The username you provided is not allowed to use the text-based Tomcat Manager (error 403) at org.codehaus.cargo.container.tomcat.internal.TomcatManager.invoke(TomcatManager.java:555)

at org.codehaus.cargo.container.tomcat.internal.TomcatManager.list(TomcatManager.java:686) 
at org.codehaus.cargo.container.tomcat.internal.TomcatManager.getStatus(TomcatManager.java:699) 
at org.codehaus.cargo.container.tomcat.internal.AbstractTomcatManagerDeployer.redeploy(AbstractTomcatManagerDeployer.java:174)

... 16 more
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: http://1.203.190.5:8080/manager/text/list 
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) 
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) 
at org.codehaus.cargo.container.tomcat.internal.TomcatManager.invoke(TomcatManager.java:544) ... 19 more

Answer 1

This seems to be a Jenkins bug but I got around the problem by setting up following configuration in Tomcat:

Edit the file /webapps/manager/META-INF/context.xml:

Previous:

<Context antiResourceLocking="false" privileged="true">
  <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>

Change this file to comment the Value:

<Context antiResourceLocking="false" privileged="true">
  <!--
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
    -->
</Context>

This resolved the issue.

Answer 2

I was facing the same issue while deploying artifact to tomcat with jenkins via container plugin, Solution:- i have added manager-script and manager-gui in the roles of the user and provide the full access to webapps/* directory. It helps me to deploy the artifact successfully and able to view it with manager-app.

Answer 3

My OS : Debain 10

I solved this by editing file /opt/tomcat/conf/tomcat-users.xml and added manager-script role

  <role rolename="admin-gui,manager-gui,manager-script,manager-jmx,manager-status,admin-gui"/>
  <user username="admin" password="password" roles="admin-gui,manager-gui,manager-script"/>

Answer 4

You just need to add the jenkins IP address to the valve.

You need to update : /webapps/manager/META-INF/context.xml. Because it allows only localhost. If you know the specific hostname or IP, you can add it replacing XXX.XXX.XXX.XXX by the IP address. It's realy important to keep the security in place.

<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|XXX.XXX.XXX.XXX" />
</Context>

After that, you need to restart tomcat.

$CATALINA_HOME/bin/shutdown.sh && $CATALINA_HOME/bin/startup.sh

Answer 5

If nothing works simply create another user in tomcat-users.xml file with magnager-script role assigned and set this user credential to jenkins .

In tomcat-users.xml file

<tomcat-users>
<user  username="deployuser" password="deployuser" roles="manager-script" />
<user username="admin" password="admin" roles="manager-gui" />
</tomcat-users>