Hi Dan,
On Tue, Sep 2, 2014 at 7:50 AM, Daniel Mikusa <dmik...@pivotal.io> wrote:
>
>
>
> So using a RemoteAddrValve will allow you to restrict access by IP address,
> but the manager application is still configured to require authentication.
> See this note from the link I sent previously.
>
> "It would be quite unsafe to ship Tomcat with default settings that allowed
> anyone on the Internet to execute the Manager application on your server.
> Therefore, the Manager application is shipped with the requirement that
> anyone who attempts to use it must authenticate themselves, using a
> username and password that have one of manager-** roles associated with
> them (the role name depends on what functionality is required). Further,
> there is no username in the default users file
> ($CATALINA_BASE/conf/tomcat-users.xml) that is assigned to those roles.
> Therefore, access to the Manager application is completely disabled by
> default. "
>
> Did you do something in your previous setup to disable authentication?
>
>
That's what I am looking hard and I can't seem to find anything different I
did, in manager's web.xml in 7.0.23. There is nothing in manager's
META-INF/context.xml either.
>
>
> How are the JSP's invoking the JMXProxyServlet? Are they sending an HTTP
> request?
>
>
The JSPs simply forward the request to the jmxproxy servlet as follows, in
the heapused.jsp:
----------start of heapused.jsp:---------
<jsp:forward page="/jmxproxy/">
<jsp:param name="get" value="java.lang:type=Memory" />
<jsp:param name="att" value="HeapMemoryUsage" />
<jsp:param name="key" value="used" />
</jsp:forward>
--------------end of heapused.jsp--------
Thanks,
-Shanti
