*With this tomcat-users.xml*<role rolename="manager-script"/> <role rolename="manager-gui"/> <role rolename="admin-gui"/> <role rolename="tomee-admin" /> <!-- Activate/create these lines to get access to TomEE GUI --> <role rolename="manager"/> <user username="tomcat" password="tomcat" roles="admin-script"/> <user username="tomtest" password="tomtest" roles="manager-gui"/>
*Test*curl -u tomcat:tomcat http://localhost:8080/host-manager/text/list *Result*: OK - Listed hosts [localhost]:[] I make same username and password for both admin-script & manager-gui <role rolename="manager-script"/> <role rolename="manager-gui"/> <role rolename="admin-gui"/> <role rolename="tomee-admin" /> <!-- Activate/create these lines to get access to TomEE GUI --> <role rolename="manager"/> <user username="tomcat" password="tomcat" roles="admin-script"/> <user username="tomcat" password="tomcat" roles="manager-gui"/> *Test*curl -u tomcat:tomcat http://localhost:8080/host-manager/text/list *Result:* curl -u tomcat:tomcat http://localhost:8080/host-manager/text/list <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" " http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>403 Access Denied</title> <style type="text/css"> <!-- BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;} H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} PRE, TT {border: 1px dotted #525D76} A {color : black;}A.name {color : black;} *I change different username same password for both admin-script & manager-gui*<role rolename="manager-script"/> <role rolename="manager-gui"/> <role rolename="admin-gui"/> <role rolename="tomee-admin" /> <!-- Activate/create these lines to get access to TomEE GUI --> <role rolename="manager"/> <user username="tomcat" password="tomcat" roles="admin-script"/> <user username="tomtest" password="tomcat" roles="manager-gui"/> *Test *curl -u tomcat:tomcat http://localhost:8080/host-manager/text/list *Result*: OK - Listed hosts [localhost]:[] *Confirmation Test The username must be unique* <role rolename="manager-script"/> <role rolename="manager-gui"/> <role rolename="admin-gui"/> <role rolename="tomee-admin" /> <!-- Activate/create these lines to get access to TomEE GUI --> <role rolename="manager"/> <user username="tomscript" password="tomcat" roles="admin-script"/> <user username="tomgui" password="tomcat" roles="manager-gui"/> <user username="tomadmin" password="tomcat" roles="admin-gui"/> <user username="tomee" password="tomee" roles="tomee-admin"/> <user username="admin" password="" roles="manager"/> curl -u *tomscript*:tomcat http://localhost:8080/host-manager/text/list OK - Listed hosts [localhost]:[] <http://www.backbutton.co.uk/> On Tue, 18 Aug 2020, 21:21 Anwar AliKhan, <anwaralikhan...@gmail.com> wrote: > *This works* > curl -u tomcat:tomcat http://localhost:8080/host-manager/text/list > OK - Listed hosts > [localhost]:[] > > > I have rebooted and restarted the browser. > *BUT with the same tomcat-users.xml * > > *It is now going straight to 401.* > > *with all three URL* > *http://localhost:8080/manager/status > <http://localhost:8080/manager/status>* > http://localhost:8080/manager/html > http://localhost:8080/host-manager/html > > *tomcat-usersxml* > > <role rolename="manager-gui"/> > <role rolename="manager-script"/> > <role rolename="admin-gui"/> > <role rolename="tomee-admin" /> <!-- Activate/create these lines to get > access to TomEE GUI --> > <role rolename="manager"/> > <user username="tomcat" password="tomcat" > roles="manager-gui,admin-script,admin-gui,tomee-admin,manager"/> > > 401 Unauthorized > You are not authorized to view this page. If you have not changed any > configuration files, please examine the file conf/tomcat-users.xml in your > installation. That file must contain the credentials to let you use this > webapp. > > For example, to add the manager-gui role to a user named tomcat with a > password of s3cret, add the following to the config file listed above. > > <role rolename="manager-gui"/> > <user username="tomcat" password="s3cret" roles="manager-gui"/> > Note that for Tomcat 7 onwards, the roles required to use the manager > application were changed from the single manager role to the following four > roles. You will need to assign the role(s) required for the functionality > you wish to access. > > manager-gui - allows access to the HTML GUI and the status pages > manager-script - allows access to the text interface and the status pages > manager-jmx - allows access to the JMX proxy and the status pages > manager-status - allows access to the status pages only > The HTML interface is protected against CSRF but the text and JMX > interfaces are not. To maintain the CSRF protection: > > Users with the manager-gui role should not be granted either the > manager-script or manager-jmx roles. > If the text or jmx interfaces are accessed through a browser (e.g. for > testing since these interfaces are intended for tools not humans) then the > browser must be closed afterwards to terminate the session. > <http://www.backbutton.co.uk/> > > > On Tue, 18 Aug 2020, 20:46 , <jonmcalexan...@wellsfargo.com.invalid> > wrote: > >> I was going to say it sounds like a persistent cookie... >> >> >> Dream * Excel * Explore * Inspire >> Jon McAlexander >> Asst Vice President >> >> Middleware Product Engineering >> Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions >> >> 8080 Cobblestone Rd | Urbandale, IA 50322 >> MAC: F4469-010 >> Tel 515-988-2508 | Cell 515-988-2508 >> >> jonmcalexan...@wellsfargo.com >> >> >> This message may contain confidential and/or privileged information. If >> you are not the addressee or authorized to receive this for the addressee, >> you must not use, copy, disclose, or take any action based on this message >> or any information herein. If you have received this message in error, >> please advise the sender immediately by reply e-mail and delete this >> message. Thank you for your cooperation. >> >> -----Original Message----- >> From: Mark Thomas <ma...@apache.org> >> Sent: Tuesday, August 18, 2020 1:57 PM >> To: users@tomcat.apache.org >> Subject: Re: Login appears only once >> >> On 18/08/2020 19:45, Anwar AliKhan wrote: >> > I rebooted the machine , then the login box appeared . >> > Obviously this is not an ideal solution! >> >> Did you close the browser between tests? >> >> Mark >> >> >> > On Tue, 18 Aug 2020, 19:07 Anwar AliKhan, <anwaralikhan...@gmail.com> >> wrote: >> > >> >> Hi, >> >> I deployed an app called tomee using the tomcat manager app. >> >> >> >> The first time I selected the app in the tomcat manager to run it. >> >> a login appeared asking for username and password. >> >> >> >> I had not set it up. So it took me to the 403 page . >> >> >> >> Now I have set up tomee-admin user. >> >> >> >> I stopped restarted tomcat for it to register the contents of >> >> tomcat-users.xml I no longer get the login Box. It goes straight to >> >> the 403 page. >> >> >> >> *what is the problem ? Thanks for your help* >> >> >> >> >> >> >> >> <role rolename="manager-gui"/> >> >> <!-- Activate/create these lines to get access to TomEE GUI --> <role >> >> rolename="tomee-admin" /> <user username="tomcat" password="s3cret" >> >> roles="manager-gui"/> <user username="admin" password="" >> >> roles="manager"/> <user username="tomee" password="tomee" >> >> roles="tomee-admin" /> HTTP Status 403 – Forbidden >> >> ------------------------------ >> >> >> >> *Type* Status Report >> >> >> >> *Message* Access to the requested resource has been denied >> >> >> >> *Description* The server understood the request but refuses to >> >> authorize it. >> >> ------------------------------ >> >> Apache Tomcat/9.0.37 >> >> >> > >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >