-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bill,
On 11/24/11 11:42 PM, Bill Wang wrote: > Thanks, with your help, I find out this link: > http://onjava.com/onjava/2001/07/24/tomcat.html, seems you need me > setup MemoryRealm, then setup security constraint in > webapps/manager/WEB-INF/web.xml Wow, you didn't have any protection on your manager webapp? You should already have had some kind of Realm configured. If you already had a Realm configured, then you didn't need to enable MemoryRealm (which is mostly a toy for doing simple authentication kind of like htpasswd is for Apache httpd). > There is an exist role "manager" , I try to understand it and add a > new role "restart" in this web.xml, always get permission deny. Post what you've got in your web.xml for <security-constraint> and <user-role> and we'll take a look. > So could you please give some instruction on how to setup below URL > to that role "restart" only? > > http://hostname:8181/manager/html/stop?path=/APPNAME > http://hostname:8181/manager/html/start?path=/APPNAME You really need to read the servlet spec for an explanation of how to set up authorization in web.xml. Briefly, you're going to want something like this new <security-constraint> in your web.xml: <security-constraint> <web-resource-collection> <web-resource-name>Just Restarts through the Web UI</web-resource-name> <url-pattern>/html/restart</url-pattern> </web-resource-collection> <auth-constraint> <role-name>manager-gui</role-name> <role-name>manager-gui-restart</role-name> </auth-constraint> </security-constraint> ... <security-role> <description> People who can restart webapps. </description> <role-name>manager-gui-restart</role-name> </security-role> - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7Pr9EACgkQ9CaO5/Lv0PDwEACfTkyZuxmG6n4sa3EJS46VX7m0 xeMAnRpYTN+fdgttp6p4rSn6iJje9dtr =BVtE -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org