We've had the same LDAP realm configured for probably 10 years, and the same roles in our LDAP for probably the same. We have 4 roles configured in LDAP manager-gui, manager-jmx, manager-script, and manager-status. My user only has the manager-gui role. Everything has worked fine up until about the time we moved to Tomcat 10.1. Now, I can log in just fine, but if I try to click stop, start, reload, or undeploy, I always get a 403. I don't see any errors in the logs telling me why. Does anyone have pointers on debugging this? My user only has the manager-gui role; the only users with the JMX or script roles are the users I use for Nagios monitoring of JMX parameters.
FYI... I can't reproduce it using Tomcat 10.1 running in docker using the same LDAP realm configuration, so that tells me it has nothing to do with the roles not being correct...and they should be correct since they haven't changed since I set things up probably 10 years ago. The only change has been the upgrade of Tomcat. Could CSRF somehow be involved? It might be about when CSRF was introduced that I started having issues. I haven't tried removing the filter yet, only because it really doesn't seem related based on my understanding of how the filter works. If someone knows the specific packages, I might want to bump up the logging on; that would probably be most helpful at this point. Cheers! Dan -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
