Re: Tomcat 7.0.33 manager - 403 Access Denied
2013/4/24 Shanti Suresh : > Hi Konstantin, > > On Tue, Apr 23, 2013 at 6:48 PM, Konstantin Kolinko > wrote: > >> >> > >> > I can't tell what I'm missing. Also, steps #2 and #3 are not even >> required >> > if I am using the RemoteAddrValve, correct? >> >> No. They are not related to RemoteAddrValve. >> > > Thanks! > > >> >> >> I would say that you should be stopped by CsrfPreventionFilter, >> because your heapused.jsp is not in the list of configured entry >> points. >> > > Bingo! > >> >> Shanti wrote: >> > The funny thing is that I gather the JMX metrics in an identical manner >> on >> > Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers. >> >> CVE-2012-4431 >> > > Thanks so much! > > I am now able to get heapused.jsp to work. I only had to add heapused.jsp > into web.xml. I did not need to add "/jmxroxy/". > > -manager/WEB-INF/web.xml:- > > CSRF > > org.apache.catalina.filters.CsrfPreventionFilter > > entryPoints > > /html,/html/,/html/list,/heapused.jsp,/index.jsp > > > > > curl http://localhost:6090/manager/heapused.jsp ==> gives me the value. > > One question I have though is that I have other JSP pages for gathering > other JMX metrics. I would like to not have to list these individually as > entry points. I tried to put these JSPs into a jmx/ sub-directory under > manager/. I added: "/jmx/*" both individually > as well as in conjunction with in web.xml. > > > CSRF > > org.apache.catalina.filters.CsrfPreventionFilter > > entryPoints > > /html,/html/,/html/list,/jmx/,/heapused.jsp,/index.jsp > > /jmx/* > > > But I got a 403 upon accessing: > > curl http://localhost:6090/manager/jmx/heapused.jsp > > The CSRF filter documentation did not mention "url-pattern": > http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html > > Is there a way to achieve what I'd like? > The source code is out there. You can subclass the filter, implement your own, or propose a patch. This feature was not needed, thus nobody implemented it. Alternatively, it is possible to change filter mapping so that it is not mapped to jsp servlet as a whole but to "/index.jsp" only (the only publicly callable jsp page there). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.33 manager - 403 Access Denied
Hi Konstantin, On Tue, Apr 23, 2013 at 6:48 PM, Konstantin Kolinko wrote: > > > > > I can't tell what I'm missing. Also, steps #2 and #3 are not even > required > > if I am using the RemoteAddrValve, correct? > > No. They are not related to RemoteAddrValve. > Thanks! > > > I would say that you should be stopped by CsrfPreventionFilter, > because your heapused.jsp is not in the list of configured entry > points. > Bingo! > > Shanti wrote: > > The funny thing is that I gather the JMX metrics in an identical manner > on > > Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers. > > CVE-2012-4431 > Thanks so much! I am now able to get heapused.jsp to work. I only had to add heapused.jsp into web.xml. I did not need to add "/jmxroxy/". -manager/WEB-INF/web.xml:- CSRF org.apache.catalina.filters.CsrfPreventionFilter entryPoints /html,/html/,/html/list,/heapused.jsp,/index.jsp curl http://localhost:6090/manager/heapused.jsp ==> gives me the value. One question I have though is that I have other JSP pages for gathering other JMX metrics. I would like to not have to list these individually as entry points. I tried to put these JSPs into a jmx/ sub-directory under manager/. I added: "/jmx/*" both individually as well as in conjunction with in web.xml. CSRF org.apache.catalina.filters.CsrfPreventionFilter entryPoints /html,/html/,/html/list,/jmx/,/heapused.jsp,/index.jsp /jmx/* But I got a 403 upon accessing: curl http://localhost:6090/manager/jmx/heapused.jsp The CSRF filter documentation did not mention "url-pattern": http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html Is there a way to achieve what I'd like? Thanks! -Shanti
Re: Tomcat 7.0.33 manager - 403 Access Denied
2013/4/23 Shanti Suresh : > All, > > I am wondering what I'm doing wrong - the Manager application is denying me > access. > Here are the details: > > Tomcat version: > 7.0.33 > JDK version: > java version "1.7.0_09" > Java(TM) SE Runtime Environment (build 1.7.0_09-b05) > Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode) > Operating System: > RedHat Linus - 2.6.18-348.4.1.el5 > > Steps I took to permit "manager": > (1) $CATALINA_HOME/conf/Catalina/localhost/manager.xml--: > docBase="${catalina.home}/webapps/manager" > > allow="127\.0\.0\.1"/> > > > > (2) --$CATALINA_HOME/conf/tomcat-users.xml:-- > password="r5678dcdddxx" > roles="standard,manager-jmx" /> > --- > > (3) $CATALINA_HOME/conf/server.xml:--Added digest=SHA:- > resourceName="UserDatabase" digest="SHA"/> > > --- > > (4) Added heapused.jsp as follows: > $ cd $CATALINA_HOME/webapps/manager > $ more heapused.jsp > > > > > > > (5) Restarted Tomcat > > (6) I get a 403 Access Denied upon: > curl http://localhost:8080/manager/heapused.jsp > > I can't tell what I'm missing. Also, steps #2 and #3 are not even required > if I am using the RemoteAddrValve, correct? No. They are not related to RemoteAddrValve. I would say that you should be stopped by CsrfPreventionFilter, because your heapused.jsp is not in the list of configured entry points. Shanti wrote: > The funny thing is that I gather the JMX metrics in an identical manner on > Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers. CVE-2012-4431 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7.0.33 manager - 403 Access Denied
I'm not sure if it's applicable here, but I'll let you know my prior experience with this kind of thing on Tomcat 6.0.xx. I've had to stop the manager app, clear out the work folder and I think maybe even delete the manager.xml file out of the conf\Catalina\localhost dir because it wasn't getting overwritten. Not sure if this is happening to you or not. -Original Message- From: Shanti Suresh [mailto:sha...@umich.edu] Sent: Tuesday, April 23, 2013 3:20 PM To: Tomcat Users List Subject: Re: Tomcat 7.0.33 manager - 403 Access Denied Hi Jakub, Thank you for the suggestions. Appreciate the thoughts. On Tue, Apr 23, 2013 at 3:33 PM, Jakub 1983 wrote: > try to comment out RemoteAddrValve, > and check if the error still exists > Yes, I had tried that. It didn't work. > have you added into users.xml ? > add and try with web page, what is the > error ? > > Good idea. Adding a manager-jmx role entry didn't make a difference. And, yes, I am able to access "/manager/html/". I logged in at the prompt. > have you tried with bare > resourceName="UserDatabase"/> - without sha ? > > Passwords work fine. So SHA is not the issue. > > > for me, starting with pure downloaded latest tomcat 7, following > configuration enables html manager: > > > >roles="tomcat,manager-gui,admin"/> > > HTML manager works for me too. > download new tomcat, > Yes, I may have to do that. > check if above conf works for you, than add manager-jmx, check with > jmx and than add RemoteAddrValve, check, and than add sha. > The funny thing is that I gather the JMX metrics in an identical manner on Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers. Thanks for letting me brainstorm. -Shanti - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.33 manager - 403 Access Denied
Hi Jakub, Thank you for the suggestions. Appreciate the thoughts. On Tue, Apr 23, 2013 at 3:33 PM, Jakub 1983 wrote: > try to comment out RemoteAddrValve, > and check if the error still exists > Yes, I had tried that. It didn't work. > have you added into users.xml ? > add and try with web page, what is the error > ? > > Good idea. Adding a manager-jmx role entry didn't make a difference. And, yes, I am able to access "/manager/html/". I logged in at the prompt. > have you tried with bare > resourceName="UserDatabase"/> - without sha ? > > Passwords work fine. So SHA is not the issue. > > > for me, starting with pure downloaded latest tomcat 7, following > configuration enables html manager: > > > >roles="tomcat,manager-gui,admin"/> > > HTML manager works for me too. > download new tomcat, > Yes, I may have to do that. > check if above conf works for you, than add manager-jmx, check with jmx > and than add RemoteAddrValve, check, and than add sha. > The funny thing is that I gather the JMX metrics in an identical manner on Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers. Thanks for letting me brainstorm. -Shanti
Re: Tomcat 7.0.33 manager - 403 Access Denied
try to comment out RemoteAddrValve, and check if the error still exists have you added into users.xml ? add and try with web page, what is the error ? have you tried with bare - without sha ? for me, starting with pure downloaded latest tomcat 7, following configuration enables html manager: download new tomcat, check if above conf works for you, than add manager-jmx, check with jmx and than add RemoteAddrValve, check, and than add sha. regards Jakub On Tue, Apr 23, 2013 at 8:20 PM, Shanti Suresh wrote: > Hi Leo, > > > On Tue, Apr 23, 2013 at 1:56 PM, Leo Donahue - RDSA IT < > leodona...@mail.maricopa.gov> wrote: > > > > > > > Is that password really the SHA value of something? > > > > If your password was: password1, then you would store the SHA value of > > "password1" in your tomcat-users.xml > > > > > > > Not the entry I posted. I munged it. But yes, I use the SHA digests of > passwords in tomcat-users.xml. > > Thanks for checking. > > -Shanti >
Re: Tomcat 7.0.33 manager - 403 Access Denied
Hi Leo, On Tue, Apr 23, 2013 at 1:56 PM, Leo Donahue - RDSA IT < leodona...@mail.maricopa.gov> wrote: > > > Is that password really the SHA value of something? > > If your password was: password1, then you would store the SHA value of > "password1" in your tomcat-users.xml > > > Not the entry I posted. I munged it. But yes, I use the SHA digests of passwords in tomcat-users.xml. Thanks for checking. -Shanti
RE: Tomcat 7.0.33 manager - 403 Access Denied
>-Original Message- >From: Shanti Suresh [mailto:sha...@umich.edu] >Subject: Tomcat 7.0.33 manager - 403 Access Denied > >All, > >I am wondering what I'm doing wrong - the Manager application is denying me >access. >Here are the details: > >Tomcat version: > 7.0.33 >JDK version: > java version "1.7.0_09" > Java(TM) SE Runtime Environment (build 1.7.0_09-b05) > Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode) Operating >System: > RedHat Linus - 2.6.18-348.4.1.el5 > >Steps I took to permit "manager": >(1) $CATALINA_HOME/conf/Catalina/localhost/manager.xml--: >docBase="${catalina.home}/webapps/manager" > > allow="127\.0\.0\.1"/> > > > >(2) --$CATALINA_HOME/conf/tomcat-users.xml:-- > password="r5678dcdddxx" > roles="standard,manager-jmx" /> Is that password really the SHA value of something? If your password was: password1, then you would store the SHA value of "password1" in your tomcat-users.xml >--- > >(3) $CATALINA_HOME/conf/server.xml:--Added digest=SHA:- > resourceName="UserDatabase" digest="SHA"/> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org