Re: Tomcat 7.0.33 manager - 403 Access Denied
Hi Konstantin, On Tue, Apr 23, 2013 at 6:48 PM, Konstantin Kolinko knst.koli...@gmail.comwrote: I can't tell what I'm missing. Also, steps #2 and #3 are not even required if I am using the RemoteAddrValve, correct? No. They are not related to RemoteAddrValve. Thanks! I would say that you should be stopped by CsrfPreventionFilter, because your heapused.jsp is not in the list of configured entry points. Bingo! Shanti wrote: The funny thing is that I gather the JMX metrics in an identical manner on Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers. CVE-2012-4431 Thanks so much! I am now able to get heapused.jsp to work. I only had to add heapused.jsp into web.xml. I did not need to add /jmxroxy/. -manager/WEB-INF/web.xml:- filter filter-nameCSRF/filter-name filter-classorg.apache.catalina.filters.CsrfPreventionFilter/filter-class init-param param-nameentryPoints/param-name param-value/html,/html/,/html/list,/heapused.jsp,/index.jsp/param-value /init-param /filter curl http://localhost:6090/manager/heapused.jsp == gives me the value. One question I have though is that I have other JSP pages for gathering other JMX metrics. I would like to not have to list these individually as entry points. I tried to put these JSPs into a jmx/ sub-directory under manager/. I added: url-pattern/jmx/*/url-pattern both individually as well as in conjunction with init-param in web.xml. filter filter-nameCSRF/filter-name filter-classorg.apache.catalina.filters.CsrfPreventionFilter/filter-class init-param param-nameentryPoints/param-name param-value/html,/html/,/html/list,/jmx/,/heapused.jsp,/index.jsp/param-value /init-param url-pattern/jmx/*/url-pattern /filter But I got a 403 upon accessing: curl http://localhost:6090/manager/jmx/heapused.jsp The CSRF filter documentation did not mention url-pattern: http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html Is there a way to achieve what I'd like? Thanks! -Shanti
Re: Tomcat 7.0.33 manager - 403 Access Denied
2013/4/24 Shanti Suresh sha...@umich.edu: Hi Konstantin, On Tue, Apr 23, 2013 at 6:48 PM, Konstantin Kolinko knst.koli...@gmail.comwrote: I can't tell what I'm missing. Also, steps #2 and #3 are not even required if I am using the RemoteAddrValve, correct? No. They are not related to RemoteAddrValve. Thanks! I would say that you should be stopped by CsrfPreventionFilter, because your heapused.jsp is not in the list of configured entry points. Bingo! Shanti wrote: The funny thing is that I gather the JMX metrics in an identical manner on Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers. CVE-2012-4431 Thanks so much! I am now able to get heapused.jsp to work. I only had to add heapused.jsp into web.xml. I did not need to add /jmxroxy/. -manager/WEB-INF/web.xml:- filter filter-nameCSRF/filter-name filter-classorg.apache.catalina.filters.CsrfPreventionFilter/filter-class init-param param-nameentryPoints/param-name param-value/html,/html/,/html/list,/heapused.jsp,/index.jsp/param-value /init-param /filter curl http://localhost:6090/manager/heapused.jsp == gives me the value. One question I have though is that I have other JSP pages for gathering other JMX metrics. I would like to not have to list these individually as entry points. I tried to put these JSPs into a jmx/ sub-directory under manager/. I added: url-pattern/jmx/*/url-pattern both individually as well as in conjunction with init-param in web.xml. filter filter-nameCSRF/filter-name filter-classorg.apache.catalina.filters.CsrfPreventionFilter/filter-class init-param param-nameentryPoints/param-name param-value/html,/html/,/html/list,/jmx/,/heapused.jsp,/index.jsp/param-value /init-param url-pattern/jmx/*/url-pattern /filter But I got a 403 upon accessing: curl http://localhost:6090/manager/jmx/heapused.jsp The CSRF filter documentation did not mention url-pattern: http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html Is there a way to achieve what I'd like? The source code is out there. You can subclass the filter, implement your own, or propose a patch. This feature was not needed, thus nobody implemented it. Alternatively, it is possible to change filter mapping so that it is not mapped to jsp servlet as a whole but to /index.jsp only (the only publicly callable jsp page there). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7.0.33 manager - 403 Access Denied
All, I am wondering what I'm doing wrong - the Manager application is denying me access. Here are the details: Tomcat version: 7.0.33 JDK version: java version 1.7.0_09 Java(TM) SE Runtime Environment (build 1.7.0_09-b05) Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode) Operating System: RedHat Linus - 2.6.18-348.4.1.el5 Steps I took to permit manager: (1) $CATALINA_HOME/conf/Catalina/localhost/manager.xml--: Context path=/manager privileged=true antiResourceLocking=false docBase=${catalina.home}/webapps/manager Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127\.0\.0\.1/ /Context (2) --$CATALINA_HOME/conf/tomcat-users.xml:-- user username=jmxparty password=r5678dcdddxx roles=standard,manager-jmx / --- (3) $CATALINA_HOME/conf/server.xml:--Added digest=SHA:- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase digest=SHA/ --- (4) Added heapused.jsp as follows: $ cd $CATALINA_HOME/webapps/manager $ more heapused.jsp jsp:forward page=/jmxproxy/ jsp:param name=get value=java.lang:type=Memory / jsp:param name=att value=HeapMemoryUsage / jsp:param name=key value=used / /jsp:forward (5) Restarted Tomcat (6) I get a 403 Access Denied upon: curl http://localhost:8080/manager/heapused.jsp I can't tell what I'm missing. Also, steps #2 and #3 are not even required if I am using the RemoteAddrValve, correct? Thanks. -Shanti
RE: Tomcat 7.0.33 manager - 403 Access Denied
-Original Message- From: Shanti Suresh [mailto:sha...@umich.edu] Subject: Tomcat 7.0.33 manager - 403 Access Denied All, I am wondering what I'm doing wrong - the Manager application is denying me access. Here are the details: Tomcat version: 7.0.33 JDK version: java version 1.7.0_09 Java(TM) SE Runtime Environment (build 1.7.0_09-b05) Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode) Operating System: RedHat Linus - 2.6.18-348.4.1.el5 Steps I took to permit manager: (1) $CATALINA_HOME/conf/Catalina/localhost/manager.xml--: Context path=/manager privileged=true antiResourceLocking=false docBase=${catalina.home}/webapps/manager Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127\.0\.0\.1/ /Context (2) --$CATALINA_HOME/conf/tomcat-users.xml:-- user username=jmxparty password=r5678dcdddxx roles=standard,manager-jmx / Is that password really the SHA value of something? If your password was: password1, then you would store the SHA value of password1 in your tomcat-users.xml --- (3) $CATALINA_HOME/conf/server.xml:--Added digest=SHA:- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase digest=SHA/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.33 manager - 403 Access Denied
Hi Leo, On Tue, Apr 23, 2013 at 1:56 PM, Leo Donahue - RDSA IT leodona...@mail.maricopa.gov wrote: Is that password really the SHA value of something? If your password was: password1, then you would store the SHA value of password1 in your tomcat-users.xml Not the entry I posted. I munged it. But yes, I use the SHA digests of passwords in tomcat-users.xml. Thanks for checking. -Shanti
Re: Tomcat 7.0.33 manager - 403 Access Denied
try to comment out RemoteAddrValve, and check if the error still exists have you added role rolename=manager-jmx/ into users.xml ? add role rolename=manager-gui/ and try with web page, what is the error ? have you tried with bare Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ - without sha ? for me, starting with pure downloaded latest tomcat 7, following configuration enables html manager: role rolename=tomcat/ role rolename=manager-gui/ role rolename=admin/ user username=tomcat password=tomcat roles=tomcat,manager-gui,admin/ download new tomcat, check if above conf works for you, than add manager-jmx, check with jmx and than add RemoteAddrValve, check, and than add sha. regards Jakub On Tue, Apr 23, 2013 at 8:20 PM, Shanti Suresh sha...@umich.edu wrote: Hi Leo, On Tue, Apr 23, 2013 at 1:56 PM, Leo Donahue - RDSA IT leodona...@mail.maricopa.gov wrote: Is that password really the SHA value of something? If your password was: password1, then you would store the SHA value of password1 in your tomcat-users.xml Not the entry I posted. I munged it. But yes, I use the SHA digests of passwords in tomcat-users.xml. Thanks for checking. -Shanti
Re: Tomcat 7.0.33 manager - 403 Access Denied
Hi Jakub, Thank you for the suggestions. Appreciate the thoughts. On Tue, Apr 23, 2013 at 3:33 PM, Jakub 1983 jjaku...@gmail.com wrote: try to comment out RemoteAddrValve, and check if the error still exists Yes, I had tried that. It didn't work. have you added role rolename=manager-jmx/ into users.xml ? add role rolename=manager-gui/ and try with web page, what is the error ? Good idea. Adding a manager-jmx role entry didn't make a difference. And, yes, I am able to access /manager/html/. I logged in at the prompt. have you tried with bare Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ - without sha ? Passwords work fine. So SHA is not the issue. for me, starting with pure downloaded latest tomcat 7, following configuration enables html manager: role rolename=tomcat/ role rolename=manager-gui/ role rolename=admin/ user username=tomcat password=tomcat roles=tomcat,manager-gui,admin/ HTML manager works for me too. download new tomcat, Yes, I may have to do that. check if above conf works for you, than add manager-jmx, check with jmx and than add RemoteAddrValve, check, and than add sha. The funny thing is that I gather the JMX metrics in an identical manner on Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers. Thanks for letting me brainstorm. -Shanti
RE: Tomcat 7.0.33 manager - 403 Access Denied
I'm not sure if it's applicable here, but I'll let you know my prior experience with this kind of thing on Tomcat 6.0.xx. I've had to stop the manager app, clear out the work folder and I think maybe even delete the manager.xml file out of the conf\Catalina\localhost dir because it wasn't getting overwritten. Not sure if this is happening to you or not. -Original Message- From: Shanti Suresh [mailto:sha...@umich.edu] Sent: Tuesday, April 23, 2013 3:20 PM To: Tomcat Users List Subject: Re: Tomcat 7.0.33 manager - 403 Access Denied Hi Jakub, Thank you for the suggestions. Appreciate the thoughts. On Tue, Apr 23, 2013 at 3:33 PM, Jakub 1983 jjaku...@gmail.com wrote: try to comment out RemoteAddrValve, and check if the error still exists Yes, I had tried that. It didn't work. have you added role rolename=manager-jmx/ into users.xml ? add role rolename=manager-gui/ and try with web page, what is the error ? Good idea. Adding a manager-jmx role entry didn't make a difference. And, yes, I am able to access /manager/html/. I logged in at the prompt. have you tried with bare Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ - without sha ? Passwords work fine. So SHA is not the issue. for me, starting with pure downloaded latest tomcat 7, following configuration enables html manager: role rolename=tomcat/ role rolename=manager-gui/ role rolename=admin/ user username=tomcat password=tomcat roles=tomcat,manager-gui,admin/ HTML manager works for me too. download new tomcat, Yes, I may have to do that. check if above conf works for you, than add manager-jmx, check with jmx and than add RemoteAddrValve, check, and than add sha. The funny thing is that I gather the JMX metrics in an identical manner on Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers. Thanks for letting me brainstorm. -Shanti - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.33 manager - 403 Access Denied
2013/4/23 Shanti Suresh sha...@umich.edu: All, I am wondering what I'm doing wrong - the Manager application is denying me access. Here are the details: Tomcat version: 7.0.33 JDK version: java version 1.7.0_09 Java(TM) SE Runtime Environment (build 1.7.0_09-b05) Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode) Operating System: RedHat Linus - 2.6.18-348.4.1.el5 Steps I took to permit manager: (1) $CATALINA_HOME/conf/Catalina/localhost/manager.xml--: Context path=/manager privileged=true antiResourceLocking=false docBase=${catalina.home}/webapps/manager Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127\.0\.0\.1/ /Context (2) --$CATALINA_HOME/conf/tomcat-users.xml:-- user username=jmxparty password=r5678dcdddxx roles=standard,manager-jmx / --- (3) $CATALINA_HOME/conf/server.xml:--Added digest=SHA:- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase digest=SHA/ --- (4) Added heapused.jsp as follows: $ cd $CATALINA_HOME/webapps/manager $ more heapused.jsp jsp:forward page=/jmxproxy/ jsp:param name=get value=java.lang:type=Memory / jsp:param name=att value=HeapMemoryUsage / jsp:param name=key value=used / /jsp:forward (5) Restarted Tomcat (6) I get a 403 Access Denied upon: curl http://localhost:8080/manager/heapused.jsp I can't tell what I'm missing. Also, steps #2 and #3 are not even required if I am using the RemoteAddrValve, correct? No. They are not related to RemoteAddrValve. I would say that you should be stopped by CsrfPreventionFilter, because your heapused.jsp is not in the list of configured entry points. Shanti wrote: The funny thing is that I gather the JMX metrics in an identical manner on Tomcat 7.0.23 and JDK 1.6 on several other RedHat Linux servers. CVE-2012-4431 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org