Home

How to access the manager servlet of Apache Tomcat

Phillip Steffensen's picture
by Phillip Steffensen on Sat, 04/18/2009 - 11:37
in

If you set up a brand new tomcat with the default configuration, you are unable to access the manager servlet. All requests on http://[YourHost]:[TomcatPort]/manager/html are responded by a HTTP Status 403 ("Access to the requested resource has been denied"). If you use your tomcat for a productive system the manager servlet should always be deactivated. The tomcat's default configuration hides the manager servlet for some security reasons. If you want to access the manager servlet you should add some lines to your tomcat-users.xml at $CATALINA_HOME/conf/tomcat-users.xml and restart your tomcat.

The default content of tomcat-users.xml is:

  1. <?xml version='1.0' encoding='utf-8'>
  2. <tomcat-users>
  3.     <role rolename="tomcat" />
  4.     <role rolename="role1" />
  5.     <role rolename="admin" />
  6.     <user username="tomcat" password="tomcat" roles="tomcat" />
  7.     <user username="role1" password="tomcat" roles="role1" />
  8.     <user username="both" password="tomcat" roles="tomcat,role1" />
  9. </tomcat-users>

To make the manager servlet reachable you should modify your tomcat-users.xml like that:

  1. <?xml version='1.0' encoding='utf-8'>
  2. <tomcat-users>
  3.     <role rolename="tomcat" />
  4.     <role rolename="role1" />
  5.     <role rolename="manager" />
  6.     <role rolename="admin" />
  7.     <user username="tomcat" password="tomcat" roles="tomcat" />
  8.     <user username="role1" password="tomcat" roles="role1" />
  9.     <user username="both" password="tomcat" roles="tomcat,role1" />
  10.     <user username="YOUR_USERNAME" password="YOUR_PASSWORD" roles="manager,admin" />
  11. </tomcat-users>

After restarting tomcat you are now able to access http://[YourHost]:[TomcatPort]/manager/html by entering YOUR_USERNAME and YOUR_PASSWORD on the htaccess-prompt. Some might think that it is safe enough to add a strong password to the manager/admin-account. But is it really safe enough to hide the manager servlet behind a simple htaccess login? No! You may not want that somebody accesses your tomcat servers manager servlet and drops all your applications, if he/she knows the login. Maybe somebody does it in the malicious way or maybe it is only a mistake. To protect the tomcat and applications from such faults, you should not modify the default tomcat-users.xml for productive systems.