On 25/11/2011 15:10, Christopher Schultz wrote: > Bill, > > On 11/24/11 11:42 PM, Bill Wang wrote: >> Thanks, with your help, I find out this link: >> http://onjava.com/onjava/2001/07/24/tomcat.html, seems you need >> me setup MemoryRealm, then setup security constraint in >> webapps/manager/WEB-INF/web.xml > > Wow, you didn't have any protection on your manager webapp? You > should already have had some kind of Realm configured. If you > already had a Realm configured, then you didn't need to enable > MemoryRealm (which is mostly a toy for doing simple authentication > kind of like htpasswd is for Apache httpd). > >> There is an exist role "manager" , I try to understand it and add >> a new role "restart" in this web.xml, always get permission >> deny. > > Post what you've got in your web.xml for <security-constraint> and > <user-role> and we'll take a look. > >> So could you please give some instruction on how to setup below >> URL to that role "restart" only? > >> http://hostname:8181/manager/html/stop?path=/APPNAME >> http://hostname:8181/manager/html/start?path=/APPNAME > > You really need to read the servlet spec for an explanation of how > to set up authorization in web.xml. Briefly, you're going to want > something like this new <security-constraint> in your web.xml: > > <security-constraint> <web-resource-collection> > <web-resource-name>Just Restarts through the Web > UI</web-resource-name> <url-pattern>/html/restart</url-pattern>
There is no such command as restart. You'll need: <url-pattern>/html/stop</url-pattern> <url-pattern>/html/start</url-pattern> You'll probably want: <url-pattern>/html/list</url-pattern> as well. Mark > </web-resource-collection> <auth-constraint> > <role-name>manager-gui</role-name> > <role-name>manager-gui-restart</role-name> </auth-constraint> > </security-constraint> > > ... > > <security-role> <description> People who can restart webapps. > </description> <role-name>manager-gui-restart</role-name> > </security-role> > > -chris > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org