Tomcat manager is very useful for production environment
when multiple applications are deployed in a single server. It helps to manage applications
without restarting the server. However,
accessing HTML interface of manager application remotely is not a wise
decision.
Therefore preventing remote access of tomcat manager using web
browser and allowing access of tool-friendly plain text interface instead would
be the best choice. This article illustrates a simple solution that has been
designed to secure tomcat server for production use.
Tomcat provides a number of Filters to secure the
server itself or an individual application. Please check here for more details. Our goal is to prevent web browser to access the Manager
application from outside of local host. At the same time we must allow commands
as a part of the request URI to get responses in the form of simple text that
can be easily parsed and processed. Therefore filter should have logic
to allow access based on HTTP request header. A very simple logic could be
filtering Remote Address and embedded request properties available in HTTP
request header as below.
private String checkHeader = "MyComp";
.
.
.
if (headerValue != null) {
/*
* Either connect from 127.0.0.1 or use "tomcatmanager" command
*/
if (headerValue.equals(checkHeader) || remoteIp.equals("127.0.0.1")) {
denyStatus = true;
}
}
Second part of this solution is a java utility which
performs two basic functions. First it encrypts plain text password available
in properties file and then decrypt the same again to connect tool-friendly
text URI. Properties file contain plain
text user and password as per tomcat-user.xml. Whenever tomcat credential gets
change, properties file should get modified accordingly. Another function is to
setRequestProperty to prepare URLConnection.
urlConnection.setRequestProperty("referer", "MyComp");
Users with the manager-gui role should not
be granted the manager-script or manager-jmx roles.
Therefore, to use this client utility, configure tomcat-users.xml accordingly.
Demonstration:
Consider two
systems A and B. System A is your Tomcat server where manager application is
deployed and system B is your Desktop client. If you try to access HTML
interface of tomcat manager from your desktop, it will redirect you to an error
page, however if you run the utility it will show you all details in readable
text format as below.
How it works?
As a client,
when you hit web browser to access GUI interface of tomcat manager, filter
checks Remote Address and redirect your request. However the filter will allow access
of GUI interface from system A as, in such a case, request goes from localhost.
When we run
the utility from system B, filter checks and found hardcoded request
properties, therefore filter refrain Remote Address checking and allow access
of plain text URI.
