How to CASify Tomcat Manager
This page provides a how-to in CASifying the Tomcat Manager web application.
Produced using Tomcat 5.0.28, but this approach should apply to other versions of Tomcat.
CASifying Standalone Tomcat
This section describes the (easier) case of CASifying Tomcat Manager where CATALINA_HOME is CATALINA_BASE.
Locate the web.xml descriptor for the manager web application
It will be in the /server/webapps/manager/WEB-INF directory of your Tomcat. For instance, mine's at I:\Tomcat\jakarta-tomcat-5.0.28\server\webapps\manager\WEB-INF .
Remove the container authentication and security stuff
We aren't going to use the Tomcat container authentication and servlet container security. We're going to replace it with CAS and a simple AuthZ filter.
Here's the stuff you don't need:
<!-- Define reference to the user database for looking up roles --> <resource-env-ref> <description> Link to the UserDatabase instance from which we request lists of defined role names. Typically, this will be connected to the global user database with a ResourceLink element in server.xml or the context configuration file for the Manager web application. </description> <resource-env-ref-name>users</resource-env-ref-name> <resource-env-ref-type> org.apache.catalina.UserDatabase </resource-env-ref-type> </resource-env-ref> <!-- Define a Security Constraint on this Application --> <security-constraint> <web-resource-collection> <web-resource-name>HTMLManger and Manager command</web-resource-name> <url-pattern>/jmxproxy/*</url-pattern> <url-pattern>/html/*</url-pattern> <url-pattern>/list</url-pattern> <url-pattern>/sessions</url-pattern> <url-pattern>/start</url-pattern> <url-pattern>/stop</url-pattern> <url-pattern>/install</url-pattern> <url-pattern>/remove</url-pattern> <url-pattern>/deploy</url-pattern> <url-pattern>/undeploy</url-pattern> <url-pattern>/reload</url-pattern> <url-pattern>/save</url-pattern> <url-pattern>/serverinfo</url-pattern> <url-pattern>/status/*</url-pattern> <url-pattern>/roles</url-pattern> <url-pattern>/resources</url-pattern> </web-resource-collection> <auth-constraint> <!-- NOTE: This role is not present in the default users file --> <role-name>manager</role-name> </auth-constraint> </security-constraint> <!-- Define the Login Configuration for this Application --> <login-config> <auth-method>BASIC</auth-method> <realm-name>Tomcat Manager Application</realm-name> </login-config> <!-- Security roles referenced by this web application --> <security-role> <description> The role that is required to log in to the Manager Application </description> <role-name>manager</role-name> </security-role>
After removing all that, you should be left with this:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <display-name>Tomcat Manager Application</display-name> <description> A scriptable management web application for the Tomcat Web Server; Manager lets you view, load/unload/etc particular web applications. </description> <!-- Define the Manager Servlet Change servlet-class to: org.apache.catalina.servlets.HTMLManagerServlet to get a Servlet with a more intuitive HTML interface, don't change if you have software that is expected to parse the output from ManagerServlet since they're not compatible. --> <servlet> <servlet-name>Manager</servlet-name> <servlet-class>org.apache.catalina.manager.ManagerServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>2</param-value> </init-param> </servlet> <servlet> <servlet-name>HTMLManager</servlet-name> <servlet-class>org.apache.catalina.manager.HTMLManagerServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>2</param-value> </init-param> </servlet> <servlet> <servlet-name>Status</servlet-name> <servlet-class>org.apache.catalina.manager.StatusManagerServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> </servlet> <servlet> <servlet-name>JMXProxy</servlet-name> <servlet-class>org.apache.catalina.manager.JMXProxyServlet</servlet-class> </servlet> <!-- Define the Manager Servlet Mapping --> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/list</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/sessions</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/start</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/stop</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/install</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/remove</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/deploy</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/undeploy</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/reload</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/save</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/serverinfo</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/roles</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Manager</servlet-name> <url-pattern>/resources</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Status</servlet-name> <url-pattern>/status/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>JMXProxy</servlet-name> <url-pattern>/jmxproxy/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>HTMLManager</servlet-name> <url-pattern>/html/*</url-pattern> </servlet-mapping> </web-app>
Add in CAS authentication
Now we have a bare, unprotected Manager. We need to add CAS authentication to it.
So we need to map the CASFilter to provide for authentication.
Add this to the web.xml (with appropriate URLs for your CAS server and the server name for the Manager you are CASifying).
<filter> <filter-name>CASFilter</filter-name> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://secure.its.yale.edu/cas/login</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value>https://secure.its.yale.edu/cas/serviceValidate</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> <param-value>hkg2.cis.yale.edu:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Require authorization
We haven't added much, if any, security yet, because anyone who can CAS authenticate can now access the Manager. We need to add an authorization layer. For this we'll use the very simple Filter that comes with the Java CAS client to declare NetIDs authorized to access the Manager.
Add this filter declaration:
<filter> <filter-name>Authz Filter</filter-name> <filter-class>edu.yale.its.tp.cas.client.filter.SimpleCASAuthorizationFilter</filter-class> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.authorizedUsers</param-name> <param-value>awp9</param-value> </init-param> </filter>
And add this filter mapping:
<filter-mapping> <filter-name>Authz Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
CASifying multiple Tomcats
Any takers for documenting how to CASify Tomcat Manager for an installation of several CATALINA_BASEs sharing a single CATALINA_HOME?