Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Code Block
xml
xml
titleRemove this from the web.xml
   <!-- Define reference to the user database for looking up roles -->
  <resource-env-ref>
    <description>
      Link to the UserDatabase instance from which we request lists of
      defined role names.  Typically, this will be connected to the global
      user database with a ResourceLink element in server.xml or the context
      configuration file for the Manager web application.
    </description>
    <resource-env-ref-name>users</resource-env-ref-name>
    <resource-env-ref-type>
      org.apache.catalina.UserDatabase
    </resource-env-ref-type>
  </resource-env-ref>

  <!-- Define a Security Constraint on this Application -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>HTMLManger and Manager command</web-resource-name>
      <url-pattern>/jmxproxy/*</url-pattern>
      <url-pattern>/html/*</url-pattern>
      <url-pattern>/list</url-pattern>
      <url-pattern>/sessions</url-pattern>
      <url-pattern>/start</url-pattern>
      <url-pattern>/stop</url-pattern>
      <url-pattern>/install</url-pattern>
      <url-pattern>/remove</url-pattern>
      <url-pattern>/deploy</url-pattern>
      <url-pattern>/undeploy</url-pattern>
      <url-pattern>/reload</url-pattern>
      <url-pattern>/save</url-pattern>
      <url-pattern>/serverinfo</url-pattern>
      <url-pattern>/status/*</url-pattern>
      <url-pattern>/roles</url-pattern>
      <url-pattern>/resources</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <!-- NOTE:  This role is not present in the default users file -->
       <role-name>manager</role-name>
    </auth-constraint>
  </security-constraint>

  <!-- Define the Login Configuration for this Application -->
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Tomcat Manager Application</realm-name>
  </login-config>

  <!-- Security roles referenced by this web application -->
  <security-role>
    <description>
      The role that is required to log in to the Manager Application
    </description>
    <role-name>manager</role-name>
  </security-role>

...

Code Block
xml
xml
titleBare web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
    "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

  <display-name>Tomcat Manager Application</display-name>
  <description>
    A scriptable management web application for the Tomcat Web Server;
	Manager lets you view, load/unload/etc particular web applications.
  </description>

  <!-- Define the Manager Servlet
       Change servlet-class to: org.apache.catalina.servlets.HTMLManagerServlet
       to get a Servlet with a more intuitive HTML interface, don't change if you
       have software that is expected to parse the output from ManagerServlet
       since they're not compatible.
   -->
  <servlet>
    <servlet-name>Manager</servlet-name>
    <servlet-class>org.apache.catalina.manager.ManagerServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>2</param-value>
    </init-param>
  </servlet>
  <servlet>
    <servlet-name>HTMLManager</servlet-name>
    <servlet-class>org.apache.catalina.manager.HTMLManagerServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>2</param-value>
    </init-param>
  </servlet>
  <servlet>
    <servlet-name>Status</servlet-name>
    <servlet-class>org.apache.catalina.manager.StatusManagerServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>0</param-value>
    </init-param>
  </servlet>

  <servlet>
    <servlet-name>JMXProxy</servlet-name>
    <servlet-class>org.apache.catalina.manager.JMXProxyServlet</servlet-class>
  </servlet>

  <!-- Define the Manager Servlet Mapping -->
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/list</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/sessions</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/start</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/stop</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/install</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/remove</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/deploy</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/undeploy</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/reload</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/save</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/serverinfo</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/roles</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/resources</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Status</servlet-name>
    <url-pattern>/status/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>JMXProxy</servlet-name>
      <url-pattern>/jmxproxy/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>HTMLManager</servlet-name>
    <url-pattern>/html/*</url-pattern>
  </servlet-mapping>

</web-app>

...

Now we have a bare, unprotected Manager. We need to add CAS authentication to it.

So we need to map the CASFilter to provide for authentication.

...

Code Block
xml
xml
titleDeclaring the CASFilter
   <filter>
    <filter-name>CASFilter</filter-name>
	<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
	<init-param>
        <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
		<param-value>https://secure.its.yale.edu/cas/login</param-value>
	</init-param>
	<init-param>
	    <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
		<param-value>https://secure.its.yale.edu/cas/serviceValidate</param-value>
	</init-param>
	<init-param>
	    <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
		<param-value>hkg2.cis.yale.edu:8080</param-value>
	</init-param>
  </filter>

  <filter-mapping>
      <filter-name>CASFilter</filter-name>
	  <url-pattern>/*</url-pattern>
  </filter-mapping>

...

We haven't added much, if any, security yet, because anyone who can CAS authenticate can now access the Manager. We need to add an authorization layer. For this we'll use the very simple Filter that comes with the Java CAS client to declare NetIDs authorized to access the Manager.

The SimpleCASAuthorization filter takes a whitespace-delimitted list of authorized usernames and asserts that the CAS authenticated username is one of these authorized users, throwing an exception when this is not the case. Here, for example, we authorize both user "awp9" and user "jdb53" to access Tomcat manager.

Add this filter declaration:

Code Block
xml
xml
titleDeclaring the Simple CAS Authorization filter

  <filter>
    <filter-name>Authz Filter</filter-name>
	<filter-class>edu.yale.its.tp.cas.client.filter.SimpleCASAuthorizationFilter</filter-class>
	<init-param>
        <param-name>edu.yale.its.tp.cas.client.filter.authorizedUsers</param-name>
		<param-value>awp9<value>awp9 jdb53</param-value>
	</init-param>
  </filter>

...

Code Block
xml
xml
titleMapping the simple CAS Authorization filter
   <filter-mapping>
      <filter-name>Authz Filter</filter-name>
	  <url-pattern>/*</url-pattern>
  </filter-mapping>

...

Code Block
xml
xml
titleweb.xml for a CASified Manager

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
    "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

  <display-name>Tomcat Manager Application</display-name>
  <description>
    A scriptable management web application for the Tomcat Web Server;
	Manager lets you view, load/unload/etc particular web applications.
  </description>


  <filter>
    <filter-name>CASFilter</filter-name>
	<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
	<init-param>
        <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
		<param-value>https://secure.its.yale.edu/cas/login</param-value>
	</init-param>
	<init-param>
	    <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
		<param-value>https://secure.its.yale.edu/cas/serviceValidate</param-value>
	</init-param>
	<init-param>
	    <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
		<param-value>hkg2.cis.yale.edu:8080</param-value>
	</init-param>
  </filter>

  <filter>
    <filter-name>Authz Filter</filter-name>
	<filter-class>edu.yale.its.tp.cas.client.filter.SimpleCASAuthorizationFilter</filter-class>
	<init-param>
        <param-name>edu.yale.its.tp.cas.client.filter.authorizedUsers</param-name>
		<param-value>awp9<value>awp9 jdb53</param-value>
	</init-param>
  </filter>

  <filter-mapping>
      <filter-name>CASFilter</filter-name>
	  <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
      <filter-name>Authz Filter</filter-name>
	  <url-pattern>/*</url-pattern>
  </filter-mapping>

  <!-- Define the Manager Servlet
       Change servlet-class to: org.apache.catalina.servlets.HTMLManagerServlet
       to get a Servlet with a more intuitive HTML interface, don't change if you
       have software that is expected to parse the output from ManagerServlet
       since they're not compatible.
   -->
  <servlet>
    <servlet-name>Manager</servlet-name>
    <servlet-class>org.apache.catalina.manager.ManagerServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>2</param-value>
    </init-param>
  </servlet>
  <servlet>
    <servlet-name>HTMLManager</servlet-name>
    <servlet-class>org.apache.catalina.manager.HTMLManagerServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>2</param-value>
    </init-param>
  </servlet>
  <servlet>
    <servlet-name>Status</servlet-name>
    <servlet-class>org.apache.catalina.manager.StatusManagerServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>0</param-value>
    </init-param>
  </servlet>

  <servlet>
    <servlet-name>JMXProxy</servlet-name>
    <servlet-class>org.apache.catalina.manager.JMXProxyServlet</servlet-class>
  </servlet>

  <!-- Define the Manager Servlet Mapping -->
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/list</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/sessions</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/start</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/stop</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/install</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/remove</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/deploy</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/undeploy</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/reload</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/save</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/serverinfo</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/roles</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Manager</servlet-name>
      <url-pattern>/resources</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>Status</servlet-name>
    <url-pattern>/status/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>JMXProxy</servlet-name>
      <url-pattern>/jmxproxy/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>HTMLManager</servlet-name>
    <url-pattern>/html/*</url-pattern>
  </servlet-mapping>

</web-app>

...

Any takers for documenting how to CASify Tomcat Manager for an installation of several CATALINA_BASEs sharing a single CATALINA_HOME?

Edit