AnsweredAssumed Answered

How to setup tomcat-users in tomcat-users.xml

Question asked by RogerShirley603913 on Sep 18, 2018
Latest reply on Oct 1, 2018 by treal04

The Apache Tomcat Manager can be accessed using a known set of credentials.

A remote attacker can leverage this issue to install a malicious application on the affected server and run code with Tomcat's privileges (usually SYSTEM on Windows, or the unprivileged 'tomcat' account on UNIX).

How can we fix this so a remote attacker cannot install a malicious application.

We use UNIX

 

<tomcat-users>

<!--

  NOTE:  By default, no user is included in the "manager-gui" role required

  to operate the "/manager/html" web application.  If you wish to use this app,

  you must define such a user - the username and password are arbitrary. It is

  strongly recommended that you do NOT use one of the users in the commented out

  section below since they are intended for use with the examples web

  application.

-->

<!--

  NOTE:  The sample user and role entries below are intended for use with the

  examples web application. They are wrapped in a comment and thus are ignored

  when reading this file. If you wish to configure these users for use with the

  examples web application, do not forget to remove the <!.. ..> that surrounds

  them. You will also need to set the passwords to something appropriate.

-->

  <role rolename="tomcat"/>

  <role rolename="manager-gui"/>

  <role rolename="role1"/>

  <user username="tomcat" password="tomcat" roles="manager-gui"/>

  <user username="xxxxxxx" password="zzzzzz" roles="manager-gui"/>

  <user username="both" password="both" roles="tomcat,role1"/>

  <user username="role1" password="role1" roles="role1"/>

</tomcat-users>

 

 

Outcomes