Skip to content

Adding default manager roles in tomcat users config. #412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

Adding default manager roles in tomcat users config. #412

wants to merge 4 commits into from

Conversation

@dagnelies
Copy link

@dagnelies dagnelies commented Mar 8, 2021

Every time I install a tomcat, I first add the tomcat manager users, and I think a lot of people do this as well. However, currently, it's kind of a pain because you have to look it up first what exactly should be written and create the roles/users manually. This here makes it trivial.

dagnelies added 2 commits March 8, 2021 12:40
@dagnelies
Update tomcat-users.xml
48d3e68 
Adding default manager roles in tomcat users config.
@dagnelies
Update tomcat-users_2.xml
b1cf5b4 
Adding default manager roles in tomcat users config.
@dagnelies
Copy link
Author

dagnelies commented Mar 10, 2021

...I guess the travis CI is currently broken

@martin-g
Copy link
Member

martin-g commented Mar 10, 2021

For some reason getParentStream() returns null on s390x (JDK11).

tomcat/java/org/apache/coyote/http2/AbstractNonZeroStream.java

Line 125 in efe0fe8

getParentStream().addChild(replacement);

@ChristopherSchultz
Copy link
Contributor

ChristopherSchultz commented Mar 11, 2021

For some reason getParentStream() returns null on s390x (JDK11).

tomcat/java/org/apache/coyote/http2/AbstractNonZeroStream.java

Line 125 in efe0fe8

getParentStream().addChild(replacement);

🤔

@dagnelies
Copy link
Author

dagnelies commented Apr 12, 2021

Hi, since the Travis CI possibly failed due to some unrelated instability, can we perhaps simply try to re-run it?

@martin-g
Copy link
Member

martin-g commented Apr 12, 2021

can we perhaps simply try to re-run it?

Re-scheduled it!

@kkolinko
Copy link

kkolinko commented Apr 12, 2021
edited
Loading

<user username="admin" password="<must-be-changed>" roles="manager-gui,manager-jmx"/>

-1 for the above line. The "manager-jmx" role is not intended to be used by human users: it does not have CSRF protection.

See
https://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html#Configuring_Manager_Application_Access

<role rolename="manager-gui"/> etc.

There rarely is a need to explicitly create roles like the above. When parsing the tomcat-users.xml file, all roles mentioned in users are created automatically.

kkolinko
kkolinko suggested changes Apr 12, 2021
View reviewed changes
Copy link

@kkolinko kkolinko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "manager-jmx" role and "manager-gui" roles should not be used together. (As I wrote is a comment earlier. Resubmitting via "Code review" panel.)

@dagnelies
Copy link
Author

dagnelies commented Apr 12, 2021
edited
Loading

@kkolinko Regarding:

There rarely is a need to explicitly create roles like the above. When parsing the tomcat-users.xml file, all roles mentioned in users are created automatically.

I wasn't aware of that. If roles are automatically generated, what's the use of the role tag at all? I just assumed it was required since it's present in all examples.

I'll remove the JMX part.

@kkolinko
Copy link

kkolinko commented Apr 12, 2021

@kkolinko Regarding:

There rarely is a need to explicitly create roles like the above. When parsing the tomcat-users.xml file, all roles mentioned in users are created automatically.

I wasn't aware of that. If roles are automatically generated, what's the use of the role tag at all? I just assumed it was required since it's present in all examples.

  • If you need to declare a role that has no users assigned to it, the role can be declared with a "role" element. Such use case is rare (e.g. if users are managed via some GUI and you want to be able to list all available roles).
  • When a user database is saved (written out), "role" elements are written as well, for completeness. This operation can be triggered via JMX.

@markt-asf markt-asf closed this in 94c352d May 19, 2021
markt-asf added a commit that referenced this pull request May 19, 2021
@markt-asf
Fix #412. Add commented out users for the Manager app
3a06704 
Based on a PR by Arnaud Dagnelies.
markt-asf added a commit that referenced this pull request May 19, 2021
@markt-asf
Fix #412. Add commented out users for the Manager app
7e5c30d 
Based on a PR by Arnaud Dagnelies.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@martin-g martin-g martin-g approved these changes

+1 more reviewer

@kkolinko kkolinko kkolinko requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dagnelies @martin-g @ChristopherSchultz @kkolinko