Tomcat manager does not ask to login

Question

I have Tomcat v9 installed in Linux. When I try to access Manager App - it does not ask for any login, and shows an 403 Access Denied error in the next page.

The tomcat-users.xml file shows the users entry as below-

<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">

  <role rolename="manager-gui"/>
  <role rolename="admin-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <role rolename="manager-status"/>
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="admin" password="admin" roles="admin-gui,manager-gui"/>
  <user username="tomcat" password="tomcat" roles="tomcat,manager-gui"/>
  <user username="both" password="both" roles="tomcat,role1"/>
  <user username="role1" password="role1" roles="role1"/>

</tomcat-users>

Also from server.xml, the tomcat-users.xml file is mapped properly.

>

   <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

I dont understand why it is not asking me to login. Until it does so, I can not validate its getting proper role or not. What may be the issue?

Answer 1

There is a new ip address restriction in the manager app itself. Take a look at the configuration file TOMCAT_HOME\webapps\manager\META-INF\context.xml. There should be something like this:

<Context antiResourceLocking="false" privileged="true" >
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>

I would suggest to add your remote ip address, e.g. allow the private network 192.168.0.0:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.0\.\d+" />

PS: Same settings need to be changed for the host-manager.

Answer 2

Please check if </tomcat-users> tag is used twice in your 'tomcat-users.xml'. This is common mistake I seen people do. Normally people do write </tomcat-users> tag after they finished writing their own code and don't notice that at the end of the file, there is already existence of it.

Else, your code looks good. I just ran it, works perfect!

Answer 3

I was running into the same error just now. I determined that it was, as previously listed, an IP restriction issue.

The documentation states that by default you should be able to access management from the local server where the software is installed. What I found worked to allow the authentication popup was instead of using http://servername:8080 using http://127.0.0.1:8080.

When I used the loopback address instead of the servername or actual IP address in the URL I was correctly prompted for the credentials and could access what I needed. That way you don't have to open up the management page from other nodes on your network.