2013/2/1 L Alex Pranger <apran...@biostargroup.com>: > Thanks for looking at this, > > answers / comments in relevant areas below > > On Thu, Jan 31, 2013 at 3:41 PM, Konstantin Kolinko > <knst.koli...@gmail.com>wrote: > >> 2013/2/1 L Alex Pranger <apran...@biostargroup.com>: >> > I know that this question has been asked numerous times before, and I >> have >> > checked the FAQs and setup documentation. I have made sure that the >> common >> > mistakes such as leaving the users inside comments, failing to stop and >> > restart tomcat, and configuring the realms are not the cause of my issue. >> > I have even tried multiple browsers (Chrome/FF). >> > >> > When I click the link for the TomCat Manager App, I get the username and >> > password request. When I enter the values that are in my >> tomcat-users.xml >> > file (included below), it does not accept those values. To me it seemed >> > most likely that the Realms were not set up right, so I've included the >> > relevant parts of the server.xml file as well. >> > >> > At first I thought that it was because the >> > org.apache.catalina.realm.MemoryRealm was not defined, so I added that >> > right after the UserDatabaseRealm with no change in behavior. >> > <Realm className="org.apache.catalina.realm.MemoryRealm" >> > resourceName="UserDatabase"/> >> > I then thought that maybe it was because those Realms were apparently >> > inside the LockOutRealm, but when I moved the </Realm> tag to before the >> > UserDatabaseRealm and MemoryRealm statements, then the web server just >> hung >> > and did not respond to requests. Again, tomcat was stopped and restarted >> > (using the shutdown.sh and startup.sh scripts in /bin) each time I mode a >> > change to these files. >> > >> > I'm sure it's probably a typo or similar on my part, and perhaps another >> > set of eyes that know what they are doing can point out my mistake. >> Thank >> > you. Relevant details are below ... >> > >> > ./version.sh >> > Using CATALINA_BASE: /srv/tomcat7 >> > Using CATALINA_HOME: /srv/tomcat7 >> > Using CATALINA_TMPDIR: /srv/tomcat7/temp >> > Using JRE_HOME: /usr/lib64/jvm/jre >> > Using CLASSPATH: >> > /srv/tomcat7/bin/bootstrap.jar:/srv/tomcat7/bin/tomcat-juli.jar >> > Server version: Apache Tomcat/7.0.33 >> > Server built: Nov 18 2012 04:15:21 >> > Server number: 7.0.33.0 >> > OS Name: Linux >> > OS Version: 2.6.27.56-0.1-default >> > Architecture: amd64 >> > JVM Version: 1.6.0_0-b16 >> > JVM Vendor: Sun Microsystems Inc. >> > >> > >> > ./startup.sh >> > Using CATALINA_BASE: /srv/tomcat7 >> > Using CATALINA_HOME: /srv/tomcat7 >> > Using CATALINA_TMPDIR: /srv/tomcat7/temp >> > Using JRE_HOME: /usr/lib64/jvm/jre >> > Using CLASSPATH: >> > /srv/tomcat7/bin/bootstrap.jar:/srv/tomcat7/bin/tomcat-juli.jar >> > >> > tomcat-users.xml >> >> 1. No xml header here? It should not be necessary, but beware of >> implications. >> > > There is a header, it was just above all the comments I didn't include. > <?xml version='1.0' encoding='utf-8'?> >
Remove those comments. The less character are there in the file, the less places for possible errors you have. That "SAXParseException: The content of elements must consist of well-formed character data or markup." indicates that content of your tomcat-users.xml file is broken and is not well-formed XML. Unfortunately it does not say on what line it happens. There are many ways to check well-formedness of an XML file. (One of easy ways is to open it with a modern web browser such as Firefox). One common pitfall is that you cannot have "--" inside a comment, so <!-- -- --> is broken. > (...) > >> 3. Is the file readable by the user that Tomcat runs under? (Obviously >> it should not be readable by anyone else for security reasons). >> > > Once running, I plan to switch to a "tomcat" user. While I'm trying to get > this to run, tomcat is running as root. > 1. One consequence of your experiment is that the log files and the work directory files will be owned by wrong user and not-writable. 2. If you run as root, once someone manages to log into your manager application and upload a malicious war file, your whole system is compromised. >> >> 4. Is your copy of manager webapp the standard one? (Configured to use >> BASIC authentication). >> > > The manager is the one build directly from the 7.0.33 tar.gz file > > I'm not sure about configured for BASIC authentication, how would If that > isn't part of the server.xml file, how would I check that? It is in its WEB-INF/web.xml > >> 5. Are you being asked for a password, or just being denied access? >> > > It asks for a username and password in a popup, much the same way .htaccess > works. > An incorrect (or at least not passing) username/password combo takes me > back to the popup. I only get the denied/reject screen when I "cancel" the > password. OK. > If the latter than you may be facing a RemoteAddrValve denying access. >> (And if you do not have one configured, you would better configure one). >> > > There is no RemoteAddrValve in the current server.xml file. > > So, if I understand correctly, I would want to add a Valve value, inside my > <Host> container? > If you want to restrict access to the Manager application only, then it should go into the <Context> element in META-INF/context.xml of the manager application. If you want to restrict access to the server (virtual host) as a whole, then yes, it will go into <Host>. > <Valve className="org.apache.catalina.valves.RemoteAddrValve" > allow="10.2.0.0|10.2.255.255" deny="" /> > > would allow all my 10.2.*.* addresses to access the system? No. 1) remove the deny attribute 2) allow="10\.2\.\d+\.\d+" It is a regexp that should match to the string that you see in your access log file. http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html > > In the Host tag, for the name (currently localhost) do I need to configure > alternate access methods (i.e. 10.2.1.1 or myserver.mycompany.com)? > > <Host name="localhost" appBase="webapps" > unpackWARs="true" autoDeploy="true"> > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" > prefix="localhost_access_log." suffix=".txt" > pattern="%h %l %u %t "%r" %s %b" /> > > </Host> > > > 6. Beware that LockoutRealm will block you after several (5) failures. >> > > I don't make that many attempts (usually just 2x) before making some change > and stopping and restarting tomcat. > > 7. What is being written into your access log file? >> Are you accessing this copy of Tomcat? >> > > Tomcat itself is running when I go to port 8080 on my server with a web > browser. > > I'm accessing tomcat through a web browser on a machine other than the > server. > > localhost_access_log.2013-01-31.txt > .... > 10.2.5.203 - - [31/Jan/2013:16:02:42 -0500] "GET / HTTP/1.1" 200 11243 > 10.2.5.203 - - [31/Jan/2013:16:06:37 -0500] "GET /manager/html HTTP/1.1" > 401 2486 > 10.2.5.203 - - [31/Jan/2013:16:06:47 -0500] "GET /manager/html HTTP/1.1" > 401 2486 > OK. > The whole log file is a little long for inclusion on the mail list; > however, I did find a few interesting issues after the startup command. > > catalina.2013-01-31.log > ... > Jan 31, 2013 4:16:46 PM org.apache.catalina.realm.CombinedRealm > startInternal > SEVERE: Failed to start "org.apache.catalina.realm.MemoryRealm/1.0" realm > org.apache.catalina.LifecycleException: Failed to start component > [Realm[MemoryRealm]] > at (...) > Caused by: org.xml.sax.SAXParseException: The content of elements must > consist of well-formed character data or markup. > at Broken file, as explained above. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
