Automic Workload Automation

  • Private Community

  • 1.  How to setup tomcat-users in tomcat-users.xml

    Posted Sep 18, 2018 04:54 PM

    The Apache Tomcat Manager can be accessed using a known set of credentials.

    A remote attacker can leverage this issue to install a malicious application on the affected server and run code with Tomcat's privileges (usually SYSTEM on Windows, or the unprivileged 'tomcat' account on UNIX).

    How can we fix this so a remote attacker cannot install a malicious application.

    We use UNIX

     

    <tomcat-users>

    <!--

      NOTE:  By default, no user is included in the "manager-gui" role required

      to operate the "/manager/html" web application.  If you wish to use this app,

      you must define such a user - the username and password are arbitrary. It is

      strongly recommended that you do NOT use one of the users in the commented out

      section below since they are intended for use with the examples web

      application.

    -->

    <!--

      NOTE:  The sample user and role entries below are intended for use with the

      examples web application. They are wrapped in a comment and thus are ignored

      when reading this file. If you wish to configure these users for use with the

      examples web application, do not forget to remove the <!.. ..> that surrounds

      them. You will also need to set the passwords to something appropriate.

    -->

      <role rolename="tomcat"/>

      <role rolename="manager-gui"/>

      <role rolename="role1"/>

      <user username="tomcat" password="tomcat" roles="manager-gui"/>

      <user username="xxxxxxx" password="zzzzzz" roles="manager-gui"/>

      <user username="both" password="both" roles="tomcat,role1"/>

      <user username="role1" password="role1" roles="role1"/>

    </tomcat-users>

     

     



  • 2.  Re: How to setup tomcat-users in tomcat-users.xml

    Broadcom Employee
    Posted Oct 01, 2018 12:39 AM

    Hi RogerShirley603913 ,

     

    I think this page might be a good starting point.

    Apache Tomcat 8 (8.5.34) - Security Considerations 

     

    Cheers,

    Alexander



  • 3.  Re: How to setup tomcat-users in tomcat-users.xml
    Best Answer

    Broadcom Employee
    Posted Oct 01, 2018 12:43 AM

    I also found this one:

     

    For security reasons, Manager is disabled by default - in fact, a User with privileges to access it is not even configured in tomcat-users.xml.  

    Gaining access to the Tomcat Manager would give an attacker considerable control over your Tomcat instance.  The first question you should ask is whether you need access to the Manager at all.  If you are using an alternative method of administering your Tomcat instances, it's best to leave the Manager disabled.  

    If you do need to use the Manager application, there are a number of configuration options and best practices you can enforce to limit the risk associated with running it.

     

    That's why AWA does not activate the Tomcat Manager by default.