Access Tomcat Manager App from different host

I have installed tomcat 9 on a remote sever and after starting it, it was brought up fine, I can access http://host_name:port_num and see tomcat hello page. But when I try to open manager app to see my deployed apps, I get 403 access denied, I already add roles in tomcat user xml as following:

<role rolename="manager"/>
<role rolename="manager-gui"/>
<role rolename="admin"/>
<user username="user" password="password" roles="admin,manager,manager-gui"/>

The error messages I saw is:

By default the Host Manager is only accessible from a browser running on the same machine as Tomcat. If you wish to modify this restriction, you'll need to edit the Host Manager's context.xml file.

How should I change context.xml file and get access to manager app?

For Tomcat v8.5.4 and above, the file <tomcat>/webapps/manager/META-INF/context.xml has been adjusted:

<Context antiResourceLocking="false" privileged="true" >
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>

Change this file to comment the Valve:

<Context antiResourceLocking="false" privileged="true" >
    <!--
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
    -->
</Context>

After that, refresh your browser (not need to restart Tomcat), you can see the manager page.

Each deployed webapp has a context.xml file that lives in

$CATALINA_BASE/conf/[enginename]/[hostname]

(conf/Catalina/localhost by default)

and has the same name as the webapp (manager.xml in this case). If no file is present, default values are used.

So, you need to create a file conf/Catalina/localhost/manager.xml and specify the rule you want to allow remote access. For example, the following content of manager.xml will allow access from all machines:

<Context privileged="true" antiResourceLocking="false" 
         docBase="${catalina.home}/webapps/manager">
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^YOUR.IP.ADDRESS.HERE$" />
</Context>

Note that the allow attribute of the Valve element is a regular expression that matches the IP address of the connecting host. So substitute your IP address for YOUR.IP.ADDRESS.HERE (or some other useful expression).

Other Valve classes cater for other rules (e.g. RemoteHostValve for matching host names). Earlier versions of Tomcat use a valve class org.apache.catalina.valves.RemoteIpValve for IP address matching.

Once the changes above have been made, you should be presented with an authentication dialog when accessing the manager URL. If you enter the details you have supplied in tomcat-users.xml you should have access to the Manager.

To access the tomcat manager from the different machines you have to follow the below steps:

1. Update conf/tomcat-users.xml file with user and some roles:

<role rolename="manager-gui"/>
 <role rolename="manager-script"/>
 <role rolename="manager-jmx"/>
 <role rolename="manager-status"/>
 <user username="admin" password="admin" roles="manager-gui,manager-script,manager-jmx,manager-status"/>

Here admin user is assigning roles="manager-gui,manager-script,manager-jmx,manager-status".

Here tomcat user and password is: admin

2. Update webapps/manager/META-INF/context.xml file (Allowing IP address):

Default configuration:

<Context antiResourceLocking="false" privileged="true" >
  
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
  
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>

Here in Valve it is allowing only local machine IP start with 127.\d+.\d+.\d+ .

2.a : Allow specefic IP:

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|YOUR.IP.ADDRESS.HERE" />

Here you just replace |YOUR.IP.ADDRESS.HERE with your IP address

2.b : Allow all IP:

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow=".*" />

Here using allow=".*" you are allowing all IP.

Thanks :)

The following two configurations is working for me.

1. tomcat-users.xml details

   ---

      <role rolename="manager-gui"/>
      <role rolename="manager-script"/>
      <role rolename="manager-jmx"/>
      <role rolename="manager-status"/>
      <role rolename="admin-gui"/>
      <role rolename="admin-script"/>
      <role rolename="tomcat"/>
    
      <user  username="tomcat"  password="tomcat" roles="tomcat"/>
    
      <user  username="admin"  password="admin" roles="admin-gui"/>
    
      <user  username="adminscript"  password="adminscrip" roles="admin-script"/>
    
      <user  username="tomcat"  password="s3cret" roles="manager-gui"/>
      <user  username="status"  password="status" roles="manager-status"/>
    
      <user  username="both"    password="both"   roles="manager-gui,manager-status"/>
    
      <user  username="script"  password="script" roles="manager-script"/>
      <user  username="jmx"     password="jmx"    roles="manager-jmx"/>

2. context.xml of /webapps/manager/META-INF/context.xml and /webapps/host-manager/META-INF/context.xml

   ---

<Context antiResourceLocking="false" privileged="true" >
    
      <Valve className="org.apache.catalina.valves.RemoteAddrValve"
             allow=".*" />
      <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>

As I had to learn the hard way the default \etc\tomcat\server.xml file (for v9.0.36 on OpenSUSE v15.2 at least) already contained <Context ...> and <Valve ...> definitions for manager and host-manager apps! These obviously overrule whatever context.xml or manager.xml files you may have defined elsewhere. By default they restrict access to localhost which is exactly what I was seeing. ||-( So, one needs to adjust the settings in server.xml instead OR remove/comment them there and then one can add the files mentioned in the other responses as one used to.

Here are the sed commands I used on AWS Linux 2 to get this working via AWS EC2 user data script:

Note: This allows access from all IPs ".*" , If you don't want that, change ".*" in the last to sed command to whatever IP you want.

Change the following to what you want:

YOUR USER NAME
YOUR PASSWORD

Also, update the path to your tomcat install by replacing /abcd with wherever your tomcat is installed:

/abcd/tomcat/conf/tomcat-users.xml
/abcd/tomcat/webapps/manager/META-INF/context.xml
/abcd/tomcat/webapps/host-manager/META-INF/context.xml

Commands:

# Add a user to Tomcat manager
sed -i 's/<\/tomcat-users>//g' /abcd/tomcat/conf/tomcat-users.xml
echo '<user name="YOUR USER NAME" password="YOUR PASSWORD" roles="manager-gui,admin-gui" />' | tee -a  /abcd/tomcat/conf/tomcat-users.xml
echo '</tomcat-users>' | tee -a  /abcd/tomcat/conf/tomcat-users.xml

# Set the Tomcat Manager apps to allow connections from everywhere
# Note: the -r forces sed to respect full regex
sed -i -r 's/127\\\.\\d\+\\\.\\d\+\\\.\\d\+\|::1\|0:0:0:0:0:0:0:1/\.\*/g' /abcd/tomcat/webapps/manager/META-INF/context.xml
sed -i -r 's/127\\\.\\d\+\\\.\\d\+\\\.\\d\+\|::1\|0:0:0:0:0:0:0:1/\.\*/g' /abcd/tomcat/webapps/host-manager/META-INF/context.xml