Tomcat 8 manager user for specific Virtual host

2
votes

I have two virtual host, and each host has the manager app deployed. Also a user with manager-gui role is added in Tomcat 8.0\conf\tomcat-users.xml This user is able to access manager app of both the host. Is there any way to restrict a manager user to a specific host ?

2
tomcatvirtualhosttomcat8
Not sure if it can be done, because I believe you cannot change the manager roles. First thing that I always do however, when setting up a new Tomcat virtual Host, is to apply a Remote Address Filter Valve for each manager. This allows access to each manager only from ip-adresses listed for that manager, which is a huge security improvement.Richard Osseweyer
@acdhirr I have already enabled IP based access. Also I am not trying to create/change roles, just ensure specific user have access to specific virtual host.Mukun

2 Answers

0
votes

You may define a Realm for each context in [tomcat_home]/conf/Catalina/[hostname]/manager.xml

<Context docBase="${catalina.home}/webapps/manager">

    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="userDatabase_2"/>

<Context>

Then in server.xml add an extra resource pointing to an alternative tomcat-users.xml file for each context:

<Resource name="userDatabase_2" auth="Container"
          type="org.apache.catalina.UserDatabase"
          description="another user database"
          factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="/conf/tomcat-users-2.xml" />

I must confess that I have not thoroughly tested this. Even though it might work it's not adviced to use the UserDatabaseRealm on production systems.

If you prefer to use, for instance, form based authentication using a DataSourceRealm you may change the login-config in [tomcat_home]/webapps/host-manager/WEB-INF/web.xml to use FORM based authentication and include a datasource Resource in the Context elements. https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html

0
votes

First of all, create a new users xml database file inside [tomcat_home]/conf, lets call it tomcat-users-2.xml.

Add the following entry into the tomcat-users-2.xml file:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <user username="[$yourUsername]" password="[$yourPassword]" roles="tomcat,manager-gui"/>
</tomcat-users>

Notice that you can add more than one user tags in the <tomcat-users>

Then in your [tomcat_home]/conf/server.xml file, find <GlobalNamingResources> tag and add (inside it):

<Resource name="UserDatabase2" auth="Container"
          type="org.apache.catalina.UserDatabase"
          description="User database that can be updated and saved"
          factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users-2.xml" />

Place the following code inside the <Host ...></Host> tags of the app you want to restrict the user to:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase2"/>

Finally you must Restart Tomcat for the changes to take effect.