Re: Tomcat 7.0.33 manager - 403 Access Denied

Tue, 23 Apr 2013 15:48:38 -0700 

2013/4/23 Shanti Suresh <sha...@umich.edu>:
> All,
>
> I am wondering what I'm doing wrong - the Manager application is denying me
> access.
> Here are the details:
>
> Tomcat version:
>   7.0.33
> JDK version:
>   java version "1.7.0_09"
>   Java(TM) SE Runtime Environment (build 1.7.0_09-b05)
>   Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode)
> Operating System:
>   RedHat Linus - 2.6.18-348.4.1.el5
>
> Steps I took to permit "manager":
> (1) ------------$CATALINA_HOME/conf/Catalina/localhost/manager.xml------:
> <Context path="/manager" privileged="true" antiResourceLocking="false"
> docBase="${catalina.home}/webapps/manager" >
>    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.0\.0\.1"/>
> </Context>
> --------------------------------
>
> (2) ------$CATALINA_HOME/conf/tomcat-users.xml:------
>  <user username="jmxparty"
>         password="ggggggggr5678dcdddddddxxxxxx"
>      roles="standard,manager-jmx" />
> -------------------
>
> (3) --------$CATALINA_HOME/conf/server.xml:------Added digest=SHA:-----
>         <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>                resourceName="UserDatabase" digest="SHA"/>
>
> -----------------------
>
> (4) Added heapused.jsp as follows:
> $ cd $CATALINA_HOME/webapps/manager
> $ more heapused.jsp
> <jsp:forward page="/jmxproxy/">
> <jsp:param name="get" value="java.lang:type=Memory" />
> <jsp:param name="att" value="HeapMemoryUsage" />
> <jsp:param name="key" value="used" />
> </jsp:forward>
>
> (5) Restarted Tomcat
>
> (6) I get a 403  Access Denied upon:
> curl http://localhost:8080/manager/heapused.jsp
>
> I can't tell what I'm missing.  Also, steps #2 and #3 are not even required
> if I am using the RemoteAddrValve, correct?

No. They are not related to RemoteAddrValve.


I would say that you should be stopped by CsrfPreventionFilter,
because your heapused.jsp is not in the list of configured entry
points.

Shanti wrote:
> The funny thing is that I gather the JMX metrics in an identical manner on
> Tomcat 7.0.23 and JDK 1.6 on several  other RedHat Linux servers.

CVE-2012-4431

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to