401 Unauthorized error while logging in Manager-App of Tomcat
I am trying to log in to the Manager App in Tomcat 7.0.22 for Mac OS X 10.7. Here is the error I am getting: http://f.cl.ly/items/421q1K3f1i0X1H1M181v/so.tiff
401 Unauthorized
You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp.
For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
I have added t开发者_开发百科his in my tomcat-users.xml, still its not taking the same username/password.
<tomcat-users>
<role rolename="manager-gui"/>
<user name="tomcat" password="s3cret" roles="standard,manager-gui"/>
</tomcat-users>
OK, I had this error too. Couldn't find the bug, couldn't find the bug, couldn't find the bug. My "tomcat-users" block looked just like this.
<tomcat-users>
<role rolename="manager-gui"/>
<user name="tomcat" password="s3cret" roles="standard,manager-gui"/>
</tomcat-users>
FINALLY FOUND THE BUG. I kept editing the XML inside the XML comment block:
<!--
<tomcat-users>
<role rolename="manager-gui"/>
<user name="tomcat" password="s3cret" roles="standard,manager-gui"/>
</tomcat-users>
-->
DOH!
So: don't forget to remove the "<!--" and "-->".
Sorry, I have to ask the obvious: Did you restart Tomcat?
If that doesn't work, try adding "admin-gui" to your roles:
<user name="tomcat" password="s3cret" roles="admin-gui,standard,manager-gui"/>
Check your browser.
I was running tomcat locally on Windows, and trying to log in using Chrome. None of the suggestions above seemed to work. Finally on a whim, I tried Firefox and got the login prompt! I restarted Chrome and tried it again, and still nothing. It appears our network policy screws with Chrome - probably blocking the popup login dialog.
I also encountered this problem. The content of my tomcat-users.xml was correct, but the file was not readable by Tomcat. I changed the file's group to tomcat7, restarted Tomcat, and voilà!
Here's the content of my tomcat-users.xml:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<user username="admin" password="admin" roles="manager-gui, admin-gui" />
</tomcat-users>
To add some clarity, here are the roles you need to add to your conf/tomcat-users.xml as of Tomcat 7.x. If you want to keep the comments you can, but this is all you need (to log in with admin/admin) in the file:
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="admin" password="admin" roles="manager-gui, manager-script, manager-jmx, manager-status, admin-gui, admin-script"/>
</tomcat-users>
Its unlikely that anybody made the same mistake I did, but incase you have a couple versions of tomcat (or have fudged the installation and have files you need to cleanup) make sure you are in the correct folder.
I was looking at the config file in C:\tomcat7\ but the actual Tomcat that was running was in C:\Program Files\Apache Software Foundation\Tomcat 7.0\
Check the exact lines in server.xml
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
Navdeep
If you are at Tomcat 8, you maybe missing the following. After updating the Realms
and tomcat-users.xml
, you also need to edit the apps' context.xml
.
By default, newer versions of Tomcat restrict access to the Manager and Host Manager apps to connections coming from the server itself. Since we are installing on a remote machine, you will probably want to remove or alter this restriction. To change the IP address restrictions on these, open the appropriate context.xml files.
For Manager app:
/webapps/manager/META-INF/context.xml
For Host-Manager app:
/opt/tomcat/webapps/host-manager/META-INF/context.xml
Comment out the following section for Valve as follows-
<Context antiResourceLocking="false" privileged="true" >
<!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->
</Context>
You should be allset after this.
I had same error then I changed password in users.xml. It solved. If you use some special chars like &
or @
. It doesn't work. Remove it.
Changing the port from 8080 to 8088 in server.xml worked for me.Refer the code below
<Connector port="8088" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
I was getting the exact the same error and it only started working after I changed the connector port from 8080 to 8081.
Also make sure that you have set TOMCAT_HOME as well as JAVA_HOME environment variables correctly.
In windows I had a CATALINA_HOME environment variable defined for another tomcat installation so that was stating even though I was using the startup script in the new installation folder. So just deleting CATALINA_HOME solved the problem for me.
In my case, I had multiple <Engine><Host>...</Host></Engine>
sections in my context.xml
and I had to copy and paste the <Realm className="org.apache.catalina.realm.LockOutRealm">...</Realm>
into each <Engine>...</Engine>
section because I had the manager app deployed in each one of these hosts that were part of a separate Engine
.
The answer from @swapnil chaudhari about the IP address restriction in the app's META-INF/context.xml
is also helpful, however I found it more beneficial to override the Context
in my server's server.xml
.
In the end, I have something like this for each one of my Engines
:
<Engine name="CatalinaMyUniqueEngine"
defaultHost="MyUniqueHost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="MyUniqueHost"
appBase="/opt/tomcat/webapps/MyUniqueHost"
unpackWARs="true" autoDeploy="true">
<Context path="/manager" privileged="true" antiResourceLocking="false"
docBase="manager">
<!-- Wider allowance than the default.
Or you can remove to allow all IPs, which probably isn't
a good idea. -->
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1|10\.244\.\d+.\d+" />
</Host>
</Engine>
docBase
is relative to appBase
. In /opt/tomcat/webapps/MyUniqueHost
, I have a symbolic link to the manager application installed by my system's package manager (Debian-based), which placed it at /usr/share/tomcat8-admin/manager
. These symbolic links allow me to use the manager app in all my Hosts
without copying the manager application.
Just to add some information on @David's answer:
If you are like me and SFTP to the host with any user under a group other than tomcat (for e.g. root) and edit tomcat_users.xml
with some generic editor like gedit or VS Code, the group of the file will be changed to the user you used (probably because a new file was created). Like below:
drwxr-x--- 2 root tomcat 4096 Jun 21 11:41 ./
drwxr-xr-x 9 root tomcat 4096 May 24 14:12 ../
-rw-r----- 1 root tomcat 13531 Apr 28 03:34 catalina.policy
-rw-r----- 1 root tomcat 7202 Apr 28 03:34 catalina.properties
-rw-r----- 1 root tomcat 1400 Apr 28 03:34 context.xml
-rw-r----- 1 root tomcat 1149 Apr 28 03:34 jaspic-providers.xml
-rw-r----- 1 root tomcat 2313 Apr 28 03:34 jaspic-providers.xsd
-rw-r----- 1 root tomcat 3850 Apr 28 03:34 logging.properties
-rw-r----- 1 root tomcat 7511 Apr 28 03:34 server.xml
-rw-r----- 1 root root 2342 Jun 21 11:41 tomcat-users.xml
-rw-r----- 1 root tomcat 2633 Apr 28 03:34 tomcat-users.xsd
-rw-r----- 1 root tomcat 170202 Apr 28 03:34 web.xml
Maybe my initial setup of tomcat was a bit casual... But with the above behavior, tomcat will loose access to the edited file. The result would be 401 Unauthorized.
There are a number of options to get around the problem. I'm not sure if any of them is the best practice though.
- Changing permission after the edit (yes sure...).
- nano and WinSCP do not seem to suffer from the issue.
- SETGID: chmod g+s /conf_folder (not tested).
- Follow this answer
- Maybe an editor that is permission-aware?
The below should work for a "vanilla" installation (or zip/tar archive) - replace your tomcat-users.xml with (similar to) this:
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="abc" password="xyz" roles="manager-gui, manager-script, manager-jmx, manager-status, admin-gui, admin-script"/>
</tomcat-users>
I ran into similar issue and still not able to login using Google Chrome (Version 73.0.3683.103) as on date 05/14/2019 10:30am CST despite reinstalling/configuring Google Chrome multiple times.
I would suggest, try using different browser such as Firefox/IE etc if you are running into this issue even after fiddling a lot with xmls.
So if nothing else works for you check that here
I had messed in my server.xml with the following line
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="jdbc/myapp"/>
That here should always be resourceName="UserDatabase"
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
I mistakenly thought it had to do with my applilcation database and have configured it. This here is the tomcat user database not the database that you have to your application.
Another thing to notice on Mac if you install Tomcat via homebrew is that the tomcat-users.xml file exists in 2 different location.
/usr/local/opt/tomcat@9/libexec/conf/tomcat-users.xml
/usr/local/Cellar/tomcat@9/9.0.65/.bottle/etc/tomcat@9
You need to add the role/user in the tomcat-users.xml within /usr/local/opt directory.
I tried to add username as tomcat in tomcat-users.xml which was already a role and it was not working. Then I given username as admin for and It worked fine..:)
Shutdown tomcat
paste below comments complete content into tomcat-users.xml and save
start tomcat
Now Build it should work, i did for windows OS with Jenkins and git deployment via tomcat7
<?xml version="1.0" encoding="UTF-8"?>
-<tomcat-users> <role rolename="manager-gui"/> <role rolename="manager-script"/> <role rolename="manager-jmx"/> <role rolename="manager-status"/> <role rolename="admin-gui"/> <role rolename="admin-script"/> <user roles="manager-gui, manager-script, manager-jmx, manager-status, admin-gui, admin-script" password="admin" username="admin"/> </tomcat-users>
I was using a particular complex password with lots of odd characters. Just return that back to regular password and worked fine.
精彩评论