Re: Tomcat user roles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill, On 12/8/11 7:33 PM, Bill Wang wrote: Thanks to all for the explanation. I have a new question regarding the admin role. With default setup, if I login as admin, I can start,stop, undeploy and deploy the application. Now, because the admin password has been shared by team, and I can't not share it with team. Why not use a more elaborate user database that lets you manage lots of users? There's no need to have shared passwords. So I plan to disable undeploy and deploy function from the web admin URL for the admin account. If anyone need deploy new version, they have to login the Unix box to do it manually. With that I can trace and have records easily. Ok. I would argue that letting people log into a web-based UI to do restarts, etc. is safer than giving them shell access, but that's your business. So I edit the file webapps/manager/WEB-INF/web.xml, and remove all the xml sessions for remove, install, undeploy, deploy and save. But after I restart the tomcat server, *I still can deploy and undeploy*. I suspect you only removed the security-constraint sections: that will open those operations to anyone who knows those URLs, which is obviously not what you want. If you have changed the admin password so nobody else knows it and you will require them to login to a shell, then why do you have to modify the manager configuration at all? Below are the lines I remove from the web.xml file. servlet-mapping servlet-nameManager/servlet-name url-pattern/install/url-pattern /servlet-mapping Are you sure you removed those lines? If you *have* removed them, then you haven't properly re-deployed the webapp. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7mTykACgkQ9CaO5/Lv0PBiZQCfZkqMvu6AJeiXvhK+S4EPMdiI PAcAnRt68Ybufzp12ZPODvvbnzbJifmu =i/JX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
Thanks to all for the explanation. I have a new question regarding the admin role. With default setup, if I login as admin, I can start,stop, undeploy and deploy the application. Now, because the admin password has been shared by team, and I can't not share it with team. So I plan to disable undeploy and deploy function from the web admin URL for the admin account. If anyone need deploy new version, they have to login the Unix box to do it manually. With that I can trace and have records easily. So I edit the file webapps/manager/WEB-INF/web.xml, and remove all the xml sessions for remove, install, undeploy, deploy and save. But after I restart the tomcat server, *I still can deploy and undeploy*. Something I missed? part of tomcat-users.xml role rolename=manager/ role rolename=tomcat/ role rolename=admin/ role rolename=role1/ role rolename=monitoring/ user username=admin password=XXX roles=admin,manager/ user username=monitoring password=XXX roles=monitoring/ Below are the lines I remove from the web.xml file. servlet-mapping servlet-nameManager/servlet-name url-pattern/install/url-pattern /servlet-mapping servlet-mapping servlet-nameManager/servlet-name url-pattern/remove/url-pattern /servlet-mapping servlet-mapping servlet-nameManager/servlet-name url-pattern/deploy/url-pattern /servlet-mapping servlet-mapping servlet-nameManager/servlet-name url-pattern/undeploy/url-pattern /servlet-mapping url-pattern/remove/url-pattern url-pattern/deploy/url-pattern url-pattern/undeploy/url-pattern url-pattern/reload/url-pattern I don't find the admin part in web.xml. Regards, Bill On Wed, Nov 30, 2011 at 5:25 AM, Mark Thomas ma...@apache.org wrote: On 29/11/2011 17:05, Christopher Schultz wrote: Mark, On 11/29/11 11:15 AM, ma...@apache.org wrote: Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill, On 11/28/11 7:08 PM, Bill Wang wrote: Here I have the last question, what's the reload option, is it same as stop/start? According to markt (who is known to be occasionally trustworthy): reload = stop + start I'm pretty sure I didn't say that. Sorry, you said: On 11/25/11 12:47 PM, Mark Thomas wrote: There is no such command as restart. You'll need: url-pattern/html/stop/url-pattern url-pattern/html/start/url-pattern I drew my own (perhaps incorrect) conclusion from that. In short: reload != restart Fuller explanation below. There is a subtle but important difference. Mark Reload keeps the same Context object (and doesn't reread the Context config) but does re-read web.xml and allows Jars to be updated. Stop/start creates a new Context object (as well as re-reading web.xml) and is therefore is a full restart of the context. Reload is sort of half a restart. There is no single command equivalent to stop/start. Gotcha. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill, On 11/28/11 7:08 PM, Bill Wang wrote: Here I have the last question, what's the reload option, is it same as stop/start? According to markt (who is known to be occasionally trustworthy): reload = stop + start If it is, maybe I just need assign /html/reload to on-call team Mark says there's no reload command... only stop+start. It might be nice to have a reload command for just this purpose. Care to take a look at the manager app and submit a patch? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7U+mQACgkQ9CaO5/Lv0PAHOgCeIGstptEEQHPm08/y5M7+G6S3 HNoAnjEQmeXUqmTiUoFb9agfrciQ/eKm =v81e -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill, On 11/28/11 7:08 PM, Bill Wang wrote: Here I have the last question, what's the reload option, is it same as stop/start? According to markt (who is known to be occasionally trustworthy): reload = stop + start I'm pretty sure I didn't say that. Reload keeps the same Context object (and doesn't reread the Context config) but does re-read web.xml and allows Jars to be updated. Stop/start creates a new Context object (as well as re-reading web.xml) and is therefore is a full restart of the context. Reload is sort of half a restart. There is no single command equivalent to stop/start. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 11/29/11 11:15 AM, ma...@apache.org wrote: Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill, On 11/28/11 7:08 PM, Bill Wang wrote: Here I have the last question, what's the reload option, is it same as stop/start? According to markt (who is known to be occasionally trustworthy): reload = stop + start I'm pretty sure I didn't say that. Sorry, you said: On 11/25/11 12:47 PM, Mark Thomas wrote: There is no such command as restart. You'll need: url-pattern/html/stop/url-pattern url-pattern/html/start/url-pattern I drew my own (perhaps incorrect) conclusion from that. Reload keeps the same Context object (and doesn't reread the Context config) but does re-read web.xml and allows Jars to be updated. Stop/start creates a new Context object (as well as re-reading web.xml) and is therefore is a full restart of the context. Reload is sort of half a restart. There is no single command equivalent to stop/start. Gotcha. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7VEOEACgkQ9CaO5/Lv0PDCHQCgqK7NnODpEKlyIFWuggxNawID r/UAoKMYzcmqzjw2t1UYyEuF3dJSDuen =ZQQk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
On 29/11/2011 17:05, Christopher Schultz wrote: Mark, On 11/29/11 11:15 AM, ma...@apache.org wrote: Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill, On 11/28/11 7:08 PM, Bill Wang wrote: Here I have the last question, what's the reload option, is it same as stop/start? According to markt (who is known to be occasionally trustworthy): reload = stop + start I'm pretty sure I didn't say that. Sorry, you said: On 11/25/11 12:47 PM, Mark Thomas wrote: There is no such command as restart. You'll need: url-pattern/html/stop/url-pattern url-pattern/html/start/url-pattern I drew my own (perhaps incorrect) conclusion from that. In short: reload != restart Fuller explanation below. There is a subtle but important difference. Mark Reload keeps the same Context object (and doesn't reread the Context config) but does re-read web.xml and allows Jars to be updated. Stop/start creates a new Context object (as well as re-reading web.xml) and is therefore is a full restart of the context. Reload is sort of half a restart. There is no single command equivalent to stop/start. Gotcha. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
Thanks for everyone who replied me. I successfully did it. Now on-call team can stop/start the tomcat instances by themselves, but with other action,such as deploy, undeploy, check server status, they will get access denied . * * That's perfect. Here I have the last question, what's the reload option, is it same as stop/start? If it is, maybe I just need assign /html/reload to on-call team Regards, Bill On Sat, Nov 26, 2011 at 5:53 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 11/25/11 12:47 PM, Mark Thomas wrote: There is no such command as restart. You'll need: url-pattern/html/stop/url-pattern url-pattern/html/start/url-pattern Whoops. Thanks for catching that. You'll probably want: url-pattern/html/list/url-pattern as well. +1 - -chrs -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAk7P5EAACgkQ9CaO5/Lv0PANjgCgt7PvxplfvSpeR3Z7TJF8+kHN S9QAl3kZqiTIxMiGyI27YJmz7zVZ11U= =OHNN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill, On 11/24/11 11:42 PM, Bill Wang wrote: Thanks, with your help, I find out this link: http://onjava.com/onjava/2001/07/24/tomcat.html, seems you need me setup MemoryRealm, then setup security constraint in webapps/manager/WEB-INF/web.xml Wow, you didn't have any protection on your manager webapp? You should already have had some kind of Realm configured. If you already had a Realm configured, then you didn't need to enable MemoryRealm (which is mostly a toy for doing simple authentication kind of like htpasswd is for Apache httpd). There is an exist role manager , I try to understand it and add a new role restart in this web.xml, always get permission deny. Post what you've got in your web.xml for security-constraint and user-role and we'll take a look. So could you please give some instruction on how to setup below URL to that role restart only? http://hostname:8181/manager/html/stop?path=/APPNAME http://hostname:8181/manager/html/start?path=/APPNAME You really need to read the servlet spec for an explanation of how to set up authorization in web.xml. Briefly, you're going to want something like this new security-constraint in your web.xml: security-constraint web-resource-collection web-resource-nameJust Restarts through the Web UI/web-resource-name url-pattern/html/restart/url-pattern /web-resource-collection auth-constraint role-namemanager-gui/role-name role-namemanager-gui-restart/role-name /auth-constraint /security-constraint ... security-role description People who can restart webapps. /description role-namemanager-gui-restart/role-name /security-role - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7Pr9EACgkQ9CaO5/Lv0PDwEACfTkyZuxmG6n4sa3EJS46VX7m0 xeMAnRpYTN+fdgttp6p4rSn6iJje9dtr =BVtE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
On 25/11/2011 15:10, Christopher Schultz wrote: Bill, On 11/24/11 11:42 PM, Bill Wang wrote: Thanks, with your help, I find out this link: http://onjava.com/onjava/2001/07/24/tomcat.html, seems you need me setup MemoryRealm, then setup security constraint in webapps/manager/WEB-INF/web.xml Wow, you didn't have any protection on your manager webapp? You should already have had some kind of Realm configured. If you already had a Realm configured, then you didn't need to enable MemoryRealm (which is mostly a toy for doing simple authentication kind of like htpasswd is for Apache httpd). There is an exist role manager , I try to understand it and add a new role restart in this web.xml, always get permission deny. Post what you've got in your web.xml for security-constraint and user-role and we'll take a look. So could you please give some instruction on how to setup below URL to that role restart only? http://hostname:8181/manager/html/stop?path=/APPNAME http://hostname:8181/manager/html/start?path=/APPNAME You really need to read the servlet spec for an explanation of how to set up authorization in web.xml. Briefly, you're going to want something like this new security-constraint in your web.xml: security-constraint web-resource-collection web-resource-nameJust Restarts through the Web UI/web-resource-name url-pattern/html/restart/url-pattern There is no such command as restart. You'll need: url-pattern/html/stop/url-pattern url-pattern/html/start/url-pattern You'll probably want: url-pattern/html/list/url-pattern as well. Mark /web-resource-collection auth-constraint role-namemanager-gui/role-name role-namemanager-gui-restart/role-name /auth-constraint /security-constraint ... security-role description People who can restart webapps. /description role-namemanager-gui-restart/role-name /security-role -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
On 25 Nov 2011, at 04:43, Bill Wang bw57...@gmail.com wrote: Hi Mark, Thanks, with your help, I find out this link: http://onjava.com/onjava/2001/07/24/tomcat.html, 2001! :) p seems you need me setup MemoryRealm, then setup security constraint in webapps/manager/WEB-INF/web.xml There is an exist role manager , I try to understand it and add a new role restart in this web.xml, always get permission deny. So could you please give some instruction on how to setup below URL to that role restart only? http://hostname:8181/manager/html/stop?path=/APPNAME http://hostname:8181/manager/html/start?path=/APPNAME Regards, Bill On Thu, Nov 24, 2011 at 7:06 PM, ma...@apache.org wrote: Bill Wang bw57...@gmail.com wrote: Hi Tomcat guru, I have questions for the tomcat user roles setup. On-call team (24*7 support) need permission to restart one tomcat services, if they get call. I think it is maybe possible to let them restart tomcat throught Tomcat Web Application Manager (the admin url http://server:port/manager) My request is, I can't give the admin username and password directly to on-call team, admin account can not only restart the application, it can deploy and undeploy applications, that's too dangerous. So how can I setup the tomcat-users.xml or other config file to let on-call team has only permission to restart that particular application, not else. Regards, Bill You can create a new role in web.xml called restart and limit it to the list, start and stop commands since each command is part of the URL. Then you assign that role to a new user in your Realm. I'm on my phone so can't give an exact example. If that isn't enough info, I'm sure someone else can fill in the gaps for you. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 11/25/11 12:47 PM, Mark Thomas wrote: There is no such command as restart. You'll need: url-pattern/html/stop/url-pattern url-pattern/html/start/url-pattern Whoops. Thanks for catching that. You'll probably want: url-pattern/html/list/url-pattern as well. +1 - -chrs -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAk7P5EAACgkQ9CaO5/Lv0PANjgCgt7PvxplfvSpeR3Z7TJF8+kHN S9QAl3kZqiTIxMiGyI27YJmz7zVZ11U= =OHNN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
Bill Wang bw57...@gmail.com wrote: Hi Tomcat guru, I have questions for the tomcat user roles setup. On-call team (24*7 support) need permission to restart one tomcat services, if they get call. I think it is maybe possible to let them restart tomcat throught Tomcat Web Application Manager (the admin url http://server:port/manager) My request is, I can't give the admin username and password directly to on-call team, admin account can not only restart the application, it can deploy and undeploy applications, that's too dangerous. So how can I setup the tomcat-users.xml or other config file to let on-call team has only permission to restart that particular application, not else. Regards, Bill You can create a new role in web.xml called restart and limit it to the list, start and stop commands since each command is part of the URL. Then you assign that role to a new user in your Realm. I'm on my phone so can't give an exact example. If that isn't enough info, I'm sure someone else can fill in the gaps for you. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
Hi Mark, Thanks, with your help, I find out this link: http://onjava.com/onjava/2001/07/24/tomcat.html, seems you need me setup MemoryRealm, then setup security constraint in webapps/manager/WEB-INF/web.xml There is an exist role manager , I try to understand it and add a new role restart in this web.xml, always get permission deny. So could you please give some instruction on how to setup below URL to that role restart only? http://hostname:8181/manager/html/stop?path=/APPNAME http://hostname:8181/manager/html/start?path=/APPNAME Regards, Bill On Thu, Nov 24, 2011 at 7:06 PM, ma...@apache.org wrote: Bill Wang bw57...@gmail.com wrote: Hi Tomcat guru, I have questions for the tomcat user roles setup. On-call team (24*7 support) need permission to restart one tomcat services, if they get call. I think it is maybe possible to let them restart tomcat throught Tomcat Web Application Manager (the admin url http://server:port/manager) My request is, I can't give the admin username and password directly to on-call team, admin account can not only restart the application, it can deploy and undeploy applications, that's too dangerous. So how can I setup the tomcat-users.xml or other config file to let on-call team has only permission to restart that particular application, not else. Regards, Bill You can create a new role in web.xml called restart and limit it to the list, start and stop commands since each command is part of the URL. Then you assign that role to a new user in your Realm. I'm on my phone so can't give an exact example. If that isn't enough info, I'm sure someone else can fill in the gaps for you. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org