tomcat 笔记

1. tomcat 笔记

1.1. Tomcat Manager 中的角色分类

• manager-gui 角色

允许访问 HTML GUI 和状态页面(即 URL 路径为 /manager/html/*)

• manager-script 角色 (Maven 项目远程热部署)

允许访问文本界面和状态页面(即 URL 路径为 /manager/text/*)

• manager-jmx 角色

允许访问 JMX 代理和状态页面(即 URL 路径为 /manager/jmxproxy/*)

• manager-status 角色

仅允许访问状态页面(即 URL 路径为 /manager/status/*)

1.2. How to Allow Remote Access to Tomcat Manager

1. The upstream-provided (example) webapps are not enabled by default, per upstream’s security recommendations, but are still available under the webapps.dist folder within the image to make them easier to re-enable.
2. The configuration files are available in /usr/local/tomcat/conf/. By default, no user is included in the “manager-gui” role required to operate the “/manager/html” web application. If you wish to use this app, you must define such a user in tomcat-users.xml.

1.2.1. Configure Tomcat User Roles and Permissions

First, you need to create a user with the appropriate roles and permissions to access Tomcat Manager remotely. Edit the “tomcat-users.xml” file, which is typically located in the “conf” directory of your Tomcat installation. Add the following XML snippet inside the element:

<role rolename="manager-gui"/>
<user username="your-username" password="your-password" roles="manager-gui"/>

Replace “your-username” and “your-password” with your desired credentials. Save the changes and restart Tomcat for the changes to take effect.

1.2.2. Modify the Tomcat Manager Remote Access Policy

Tomcat have a context file for each deployed web application under the conf/Catalina/localhost directory. It has the file with the same name as the web app like manager.xml or host-manager.xml.

So, if the file is not present, you need to create a file conf/Catalina/localhost/manager.xml and specify the rule to allow remote hosts.

sudo nano ${CATLINA_HOME}/conf/Catalina/localhost/manager.xml
Add the following content.

<Context privileged="true" antiResourceLocking="false" 
         docBase="{catalina.home}/webapps/manager">
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$" />
</Context>

Save file and close it.

You also need to create an XML file for the host-manager web app to allow access for remote hosts.

sudo nano ${CATLINA_HOME}conf/Catalina/localhost/host-manager.xml   

Add the following content.

<Context privileged="true" antiResourceLocking="false" 
         docBase="{catalina.home}/webapps/host-manager">
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$" />
</Context>

Save file and close it.

1.2.3. Access Tomcat Manager Remotely

http://your-tomcat-server-ip:port/manager/html
http://your-tomcat-server-ip:port/manager/status
http://your-tomcat-server-ip:port/manager/jmxproxy