Tomcat的默认首页上 Server status、Manager APP、host-manager 页面的管理。

一、Tomcat启用 Server status、Manager APP页面

1. 问题的引出

在我们安装好Tomcat后,登录到页面右上角(如下图)的状态页面是不能直接登录的,需要对Tomcat的权限进行修改,进而才可登录并进行信息查看、管理和代码等部署。下面将介绍如何启用Tomcat的状态页和管理页面。

Tomcat实战案例:启用Tomcat 状态页和管理页面_tomcat的默认首页

默认点击后会出现下面的错误页面

Tomcat实战案例:启用Tomcat 状态页和管理页面_host-manager_02

2. 修改配置启用管理页

基本过程:默认的管理页面是被禁用,启用需要修改两个配置文件:一是conf/conf/tomcat-users.xml 添加角色用户;二是要修改webapps/manager/META-INF/context.xml 添加可以访问的地址段。

#### 3.4.4.7 基于WEB的管理Server status和Manager APP可实现应用部署,tomcat 提供了基于WEB的管理页面,默认由 tomcat-admin-webapps.noarch包提供相关文件。实现WEB的管理Server status和Manager APP。 打开浏览器可以访问tomcat管理的默认管理页面,点击下图两个按钮都会出现下面提示403的错误提示。修改;两个文件。

[root@CentOS84-IP68 ]#cd /usr/local/tomcat/
[root@CentOS84-IP68 ]#ls conf/
Catalina catalina.properties jaspic-providers.xml logging.properties tomcat.conf tomcat-users.xsd
catalina.policy context.xml jaspic-providers.xsd server.xml tomcat-users.xml web.xml

# 查看配置信息 conf/server.xml
[root@CentOS84-IP68 ]#cat conf/server.xml
.......................... # 默认省略部分文件内容
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" /> ### 看到此处控制用户名和账号的文件 conf/tomcat-users.xml
</GlobalNamingResources>

<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
..................................... # 默认省略部分文件内容

##########################################################################################
## 修改控制用户账号控制文件 conf/tomcat-users.xml
[root@CentOS84-IP68 ]#vim conf/tomcat-users.xml
..........................
The users below are wrapped in a comment and are therefore ignored. If you
wish to configure one or more of these users for use with the manager web
application, do not forget to remove the <!.. ..> that surrounds them. You
will also need to set the passwords to something appropriate.
-->
<!--
<user username="admin" password="<must-be-changed>" roles="manager-gui"/>
<user username="robot" password="<must-be-changed>" roles="manager-script"/>
-->
<!--
The sample user and role entries below are intended for use with the
examples web application. They are wrapped in a comment and thus are ignored
when reading this file. If you wish to configure these users for use with the
examples web application, do not forget to remove the <!.. ..> that surrounds
them. You will also need to set the passwords to something appropriate.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
-->
# 下面两行是新加的用户和密码,角色定义
<role rolename="manager-gui"/>
<user username="admin" password="shone8888" roles="manager-gui"/>
</tomcat-users>
[root@CentOS84-IP68 ]#systemctl restart tomcat

##########################################################################################

### 修改webapps/manager/META-INF/context.xml 查看正则表达式就知道是本地访问了,由于当前访问地址是192.168.X.x,可以修改正则表达式为 allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.\d+\.\d+" 这行命令只要模仿配置文件内的写法即可。

[root@CentOS84-IP68 ]#vim webapps/manager/META-INF/context.xml
......................
<Context antiResourceLocking="false" privileged="true" >
<CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.250\.\d+" />
<Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.ca
talina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
..................

[root@CentOS84-IP68 ]#cat webapps/manager/META-INF/context.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<Context antiResourceLocking="false" privileged="true" >
<CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.250\.\d+" />
<Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>

# 上面修改完成后重新启动tomcat 的服务
[root@CentOS84-IP68 ]#systemctl restart tomcat

3. Tomcat 8005端口安全性处置

TCP 8005是Tomcat的管理端口,默认监听在127.0.0.1上。无需验证就可发送SHUTDOWN (必须大写)这个字符串,tomcat接收到后就会关闭此Server。

此管理功能建议禁用,禁用方法:(1)可将SHUTDOWN改为一串猜不出的字符串实现。(2)或者port修改成 0, 会使用随机端口,如:39913。(3)port设为-1等无效端口,将关闭此功能。

[root@CentOS84-IP68 ]#cat /usr/local/tomcat/conf/server.xml | grep 8005
<Server port="8005" shutdown="SHUTDOWN">
[root@CentOS84-IP68 ]#

此行不能被注释的,否则无法启动tomcat服务

# 通过查看监听端口看到 tomcat 默认还开启了 8005 端口的监听
[root@CentOS84-IP68 ]#ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 100 *:8080 *:*
LISTEN 0 1 [::ffff:127.0.0.1]:8005 *:*

[root@CentOS84-IP68 ]#
[root@CentOS84-IP68 ]#ss -tlnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 100 *:8080 *:* users:(("java",pid=7595,fd=42))
LISTEN 0 1 [::ffff:127.0.0.1]:8005 *:* users:(("java",pid=7595,fd=53))
[root@CentOS84-IP68 ]#

4. 测试登录状态管理页

简要说明:经过上面的修改后,输入上面定义的用户名和密码后就可以登录到Tomcat的状态管理Server status和应用管理Manager APP两个页面了。下面是登录后的界面,可以进行代码部署等。

Tomcat实战案例:启用Tomcat 状态页和管理页面_tomcat_03

需要特别强调的是,从下面的页面看到,管理页面权限很大,可以删除和停止APP,实际生产种建议删除掉这个管理页面或者对权限做严格的管控。

Tomcat实战案例:启用Tomcat 状态页和管理页面_tomcat_04

二、Tomcat 启用 host-manager 管理页

概要说明:和状态页面一样,tomcat默认的 host-manager 页面也不能直接打开,需要修改配置文集和授权才能正常登录。

Tomcat实战案例:启用Tomcat 状态页和管理页面_tomcat_05

要正常打开 host-manager 页面,必须分两个步骤:第一步是修改 /usr/local/tomcat/conf/tomcat-users.xml 添加角色账户和密码;第二步是修改/usr/local/tomcat/webapps/host-manager/META-INF/context.xml 下的IP地址授权范围。

1. 修改 conf/server.xml 文件

[root@CentOS84-IP68 ]#vim /usr/local/tomcat/conf/tomcat-users.xml
.......................... # 省略部分内容
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
-->

# 下面是需要修改的部分,因为前面添加了 manager-gui 角色,本次再添加 admin-gui 角色,参考上面的例子合并格式修改
<role rolename="manager-gui"/>
<role rolename="admin-gui"/>
<user username="admin" password="shone8888" roles="manager-gui,admin-gui"/>
</tomcat-users>
........................ # 省略部分内容

# 修改后完整的 /usr/local/tomcat/conf/tomcat-users.xml 文件内容
[root@CentOS84-IP68 ]#cat /usr/local/tomcat/conf/tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.

Built-in Tomcat manager roles:
- manager-gui - allows access to the HTML GUI and the status pages
- manager-script - allows access to the HTTP API and the status pages
- manager-jmx - allows access to the JMX proxy and the status pages
- manager-status - allows access to the status pages only

The users below are wrapped in a comment and are therefore ignored. If you
wish to configure one or more of these users for use with the manager web
application, do not forget to remove the <!.. ..> that surrounds them. You
will also need to set the passwords to something appropriate.
-->
<!--
<user username="admin" password="<must-be-changed>" roles="manager-gui"/>
<user username="robot" password="<must-be-changed>" roles="manager-script"/>
-->
<!--
The sample user and role entries below are intended for use with the
examples web application. They are wrapped in a comment and thus are ignored
when reading this file. If you wish to configure these users for use with the
examples web application, do not forget to remove the <!.. ..> that surrounds
them. You will also need to set the passwords to something appropriate.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
-->

<role rolename="manager-gui"/>
<role rolename="admin-gui"/>
<user username="admin" password="shone8888" roles="manager-gui,admin-gui"/>
</tomcat-users>
[root@CentOS84-IP68 ]#systemctl restart tomcat.service

2. 修改 /host-manager/META-INF/context.xml 文件

# 修改 /usr/local/tomcat/webapps/host-manager/META-INF/context.xml 文件,添加可访问的IP地址范围
[root@CentOS84-IP68 ]#
[root@CentOS84-IP68 ]#ls /usr/local/tomcat/webapps/host-manager/
css images index.jsp META-INF WEB-INF
[root@CentOS84-IP68 ]#ls /usr/local/tomcat/webapps/host-manager/META-INF/
context.xml
[root@CentOS84-IP68 ]#ls /usr/local/tomcat/webapps/host-manager/META-INF/context.xml
/usr/local/tomcat/webapps/host-manager/META-INF/context.xml
[root@CentOS84-IP68 ]#vim /usr/local/tomcat/webapps/host-manager/META-INF/context.xml
....................... # 省略部分内容
<Context antiResourceLocking="false" privileged="true" >
<CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
<Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.Csrf
PreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
....................... # 省略部分内容

# 修改后的完整 /usr/local/tomcat/webapps/host-manager/META-INF/context.xml 文件内容
[root@CentOS84-IP68 ]#cat /usr/local/tomcat/webapps/host-manager/META-INF/context.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<Context antiResourceLocking="false" privileged="true" >
<CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.250\.\d+" />
<Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
[root@CentOS84-IP68 ]#systemctl restart tomcat.service
[root@CentOS84-IP68 ]#

3. 验证登录

输入账号名和密码后就可以登录了。

Tomcat实战案例:启用Tomcat 状态页和管理页面_tomcat的默认首页_06