
  1. 默认情况下,管理员只允许通过本机浏览器访问,如需远程管理,可以编辑【tomcat_home/webapps/manager/META-INF/context.xml】文档来完成修改。
<Context antiResourceLocking="false" privileged="true" >
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
<Context antiResourceLocking="false" privileged="true" >
    <!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> -->
  1. 在Tomcat中内置了一个管理子程序Tomcat Manager来管理Tomcat及部署在其上的应用。
  2. 从Tomcat7.x开始,原来的manager角色从粗粒度的单条分裂为下列四条,原来的单条角色控制的权限也被进一步隔离和细化。(Note that for Tomcat 7 onwards, the roles required to use the manager application were changed from the single manager role to the following four roles. You will need to assign the role(s) required for the functionality you wish to access.)
    • manager-gui - allows access to the HTML GUI and the status pages
    • manager-script - allows access to the text interface and the status pages
    • manager-jmx - allows access to the JMX proxy and the status pages
    • manager-status - allows access to the status pages only
  3. The HTML interface is protected against CSRF but the text and JMX interfaces are not. To maintain the CSRF protection:
    • Users with the manager-gui role should not be granted either the manager-script or manager-jmx roles.
    • If the text or jmx interfaces are accessed through a browser (e.g. for testing since these interfaces are intended for tools not humans) then the browser must be closed afterwards to terminate the session.
  4. 配置方式,根据权限的隔离关系,下列配置是比较合理的(TOMCAT_HOME/conf/tomcat-users.xml):
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <role rolename="manager-status"/>
  <user username="gui" password="111111" roles="manager-gui"/>
  <user username="script" password="111111" roles="manager-script"/>
  <user username="jmx" password="111111" roles="manager-jmx"/>
  <user username="status" password="111111" roles="manager-status"/>
posted @ 2020-04-23 11:15  JaxYoun  阅读(949)  评论(0编辑  收藏  举报