- 默認情況下,管理員只允許通過本機瀏覽器訪問,如需遠程管理,可以編輯【tomcat_home/webapps/manager/META-INF/context.xml】文檔來完成修改。
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>
改為
<Context antiResourceLocking="false" privileged="true" >
<!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> -->
</Context>
- 在Tomcat中內置了一個管理子程序Tomcat Manager來管理Tomcat及部署在其上的應用。
- 從Tomcat7.x開始,原來的manager角色從粗粒度的單條分裂為下列四條,原來的單條角色控制的權限也被進一步隔離和細化。(Note that for Tomcat 7 onwards, the roles required to use the manager application were changed from the single manager role to the following four roles. You will need to assign the role(s) required for the functionality you wish to access.)
- manager-gui - allows access to the HTML GUI and the status pages
- manager-script - allows access to the text interface and the status pages
- manager-jmx - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only
- The HTML interface is protected against CSRF but the text and JMX interfaces are not. To maintain the CSRF protection:
- Users with the manager-gui role should not be granted either the manager-script or manager-jmx roles.
- If the text or jmx interfaces are accessed through a browser (e.g. for testing since these interfaces are intended for tools not humans) then the browser must be closed afterwards to terminate the session.
- 配置方式,根據權限的隔離關系,下列配置是比較合理的(TOMCAT_HOME/conf/tomcat-users.xml):
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user username="gui" password="111111" roles="manager-gui"/>
<user username="script" password="111111" roles="manager-script"/>
<user username="jmx" password="111111" roles="manager-jmx"/>
<user username="status" password="111111" roles="manager-status"/>
