Re: Tomcat 7.0.33 manager - 403 Access Denied

Wed, 24 Apr 2013 11:06:49 -0700 

Hi Konstantin,

On Tue, Apr 23, 2013 at 6:48 PM, Konstantin Kolinko
<knst.koli...@gmail.com>wrote:

>
> >
> > I can't tell what I'm missing.  Also, steps #2 and #3 are not even
> required
> > if I am using the RemoteAddrValve, correct?
>
> No. They are not related to RemoteAddrValve.
>

Thanks!


>
>
> I would say that you should be stopped by CsrfPreventionFilter,
> because your heapused.jsp is not in the list of configured entry
> points.
>

Bingo!

>
> Shanti wrote:
> > The funny thing is that I gather the JMX metrics in an identical manner
> on
> > Tomcat 7.0.23 and JDK 1.6 on several  other RedHat Linux servers.
>
> CVE-2012-4431
>

Thanks so much!

I am now able to get heapused.jsp to work.  I only had to add heapused.jsp
into web.xml.  I did not need to add "/jmxroxy/".

-----manager/WEB-INF/web.xml:-----
<filter>
    <filter-name>CSRF</filter-name>

<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
    <init-param>
      <param-name>entryPoints</param-name>

<param-value>/html,/html/,/html/list,/heapused.jsp,/index.jsp</param-value>
    </init-param>
  </filter>
--------------------

curl http://localhost:6090/manager/heapused.jsp  ==>  gives me the value.

One question I have though is that I have other JSP pages for gathering
other JMX metrics.  I would like to not have to list these individually as
entry points.  I tried to put these JSPs into a jmx/ sub-directory under
manager/.  I added: "<url-pattern>/jmx/*</url-pattern>" both individually
as well as in conjunction with <init-param> in web.xml.

<filter>
    <filter-name>CSRF</filter-name>

<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
    <init-param>
      <param-name>entryPoints</param-name>

<param-value>/html,/html/,/html/list,/jmx/,/heapused.jsp,/index.jsp</param-value>
    </init-param>
    <url-pattern>/jmx/*</url-pattern>
  </filter>

But I got a 403 upon accessing:

curl http://localhost:6090/manager/jmx/heapused.jsp

The CSRF filter documentation did not mention "url-pattern":
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html

Is there a way to achieve what I'd like?

Thanks!
                  -Shanti

Reply via email to