(4) Tomcat graphics management and identity authentication configuration

Tomcat is not as well managed as most service programs, and Tomcat is better suited for management using the graphical management interface, such as dynamically deploying new webapp or reloading webapp without stopping Tomcat. If you do not use the graphical management tool, Tomcat can also configure automatic deployment (autodeploy= "true"), but we cannot grasp the time it is redeployed.

Official manual for graphical management tools: Manager App how-to.

Enter Tomcat's graphical management interface and welcome interface by entering the IP address of the Tomcat machine and its connector listening port directly in the browser. This welcome page is the page provided by the default host component, LocalHost, in Tomcat engine, which has a path of $catalina_home/webapps/root/index.jsp.

"localhost"  appbase="webapps"             Unpackwars="true" autodeploy="true">

These 3 buttons correspond to the 3 administrative tools that Tomcat has installed by default: The Status View tool, the WebApp management tool (very important), and the Virtual Host Management tool.

The first 2 tools are provided by WebApp, named Manager, and the third tool is provided by a webapp named Host-manager, so the latter will assume that only two management programs are available: Manager and Host-manager. Their paths are in the WebApps directory.

Click on these 3 buttons to access the respective management interface. but for the first click, the "403 Access denied" error appears and prompts you to configure Conf/tomcat-users.xml to add the appropriate permissions to the role.

Since both the Serverstatus and Managerapp apps are provided by the Manager app, clicking either of these buttons pops up the same error message

The above error page is translated as follows:

401 Unauthorized

You do not have permission to view this page. If you have not changed any of the configuration files, check the files in the installation conf/tomcat-Users.xml. The file must contain credentials that allow you to use this Web application. For example, the manager-The GUI role is added to the user named Tomcat, password S3cret, and the following is added to the configuration file Tomcat-user.xml listed above. <role rolename = "Manager-gui"/><user username = "Tomcat" password = "s3cret" roles = "Manager-gui"/>
Note that for Tomcat 7 or more, the roles required to use the manager application have changed from a single manager role to the following four roles . You need to assign the roles you want to access the features you need.
Manager-gui-allow access to HTML GUI and Status page manager-script-allow access to the text interface and Status page manager-JMX-allow access to JMX agent and Status page manager-status-allow access to status pages only
The HTML interface is protected by CSRF, but the text and JMX interfaces are not protected. To maintain CSRF protection: with the manager users of the-gui role should not be granted manager-script or manager- jmx role . If the text or JMX interface is accessed through a browser (for example, for testing, because these interfaces are for tools rather than humans), you must close the browser later to terminate the session. 

Here are the error pages that click on the Hostmanager button prompt

The above error page is translated as follows:

401 You are not entitled to view this page without authorization . If you have not changed any of the configuration files, check the files in the installation conf/tomcat-Users.xml. The file must contain credentials that allow you to use this Web application. For example, the admin-GUI role is added to a user named Tomcat with a password of S3cret, add the following to the configuration file listed above. <role rolename = "Admin-gui"/><user username = "Tomcat" password = "s3cret" roles = "Admin-gui"/>
Note that for Tomcat 7 or more, the roles required to use the Host Manager application have been changed from a single admin role to the following two roles . You need to assign the roles you want to access the features you need. Admin-gui-allow access to HTML Guiadmin-script-Allow access to the text interface
The HTML interface is protected by CSRF, but the text interface is not protected. In order to maintain CSRF protection: with admin users of the-gui role should not be granted admin- script role . If the text interface is accessed through a browser (for example, for testing because this interface is used for tools other than humans), you must close the browser later to terminate the session. 

Overall: For these two hypervisor, there are a total of the following predefined roles: The last two roles are the roles required by Host Manager in the previous figure.

• Manager-gui-allows access to the HTML GUI and the status pages
• Manager-script-allows access to the text interface and the status pages
• Manager-jmx-allows access to the JMX proxy and the status pages
• Manager-status-allows access to the status pages only
• Admin-gui-allows access to the HTML GUI
• Admin-script-allows access to the text interface

For users who use Manager-gui roles, it is strongly recommended that you do not give them manager-script and manager-jmx roles.

These role names rolename are already predefined in Web. XML within the hypervisor:

[[email protected] webapps]# grep'Role-name'host-manager/web-inf/Web. XML<role-name>admin-script</role-name> <role-name>admin-gui</role-name> <role-name>ad Min-gui</role-name> <role-name>admin-script</role-name>[[email protected] webapps]# grep'Role-name'manager/web-inf/Web. XML<role-name>manager-gui</role-name> <role-name>manager-script</role-name> <role-name >manager-jmx</role-name> <role-name>manager-gui</role-name> &LT;ROLE-NAME&GT;MANAGER-SCRI Pt</role-name> <role-name>manager-jmx</role-name> <role-name>manager-status</role-n ame> <role-name>manager-gui</role-name> <role-name>manager-script</role-name> <role -name>manager-jmx</role-name> <role-name>manager-status</role-name>

Therefore, these names can be referenced directly in the authentication file of the hypervisor. So how do you configure authentication so that only authenticated users can use these management tools? Based on the previous error page prompts, you can simply configure it in $catalina_home/conf/tomcat-user.xml.

For example, configure with a predefined role.

Note that the user name and password specified above are arbitrary, but the role name cannot be arbitrarily specified and must be predefined in the Web. xml file in the application

Restart Tomcat again. However, such a configuration will succeed in Tomcat 8.0 and earlier, and will not succeed on Tomcat 8.5 and later, and will need to do the following:

Open webapps/manager/meta-inf/context.xml file, not conf/context.xml file

We will annotate the content inside (note only the <value/> Element) or modify it as follows:

<valve classname= "Org.apache.catalina.valves.RemoteAddrValve"

allow= "192\.168\.2\.\d+|127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>

: To allow access to the 192.168.2.0 network segment (the network segment of my current LAN) and to the local loopback address, you need to modify the address or specific IP to which you access the network segment.

For example: Your network segment is 192.168.1.0, can be written 192\.168\.1\.\d+, or allow 192.168.1.100 access, written 192\.168\.1\.100

Note: If you want to access the host manager , you also need to modify the webapps/host-manager/meta-inf/ context.xml files, and modify the contents as above.

Save, then restart Tomcat, revisit the server Status, Manager app page, and output the user name and password set above to access the page.

First button: Status page

Second button: Application Management interface

You can easily manage the start, stop, deploy, redeploy, deploy local projects, and so on for a webapp.

Third button: Virtual Machine Management interface

(4) Tomcat graphics management and identity authentication configuration