403.jsp

markt Wed, 09 Mar 2016 07:27:38 -0800

Author: markt
Date: Wed Mar  9 15:27:21 2016
New Revision: 1734267

URL: http://svn.apache.org/viewvc?rev=1734267&view=rev
Log:
Limit the Manager and Host Manager applications to localhost.


Modified:
    tomcat/trunk/webapps/docs/changelog.xml
    tomcat/trunk/webapps/host-manager/META-INF/context.xml
    tomcat/trunk/webapps/host-manager/WEB-INF/jsp/403.jsp
    tomcat/trunk/webapps/manager/META-INF/context.xml
    tomcat/trunk/webapps/manager/WEB-INF/jsp/403.jsp

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1734267&r1=1734266&r2=1734267&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Mar  9 15:27:21 2016
@@ -263,6 +263,10 @@
         <code>ServletRequest.getServerPort()</code> in Proxy How-To.
         Issue reported via comments.apache.org. (violetagg)
       </fix>
+      <add>
+        The Manager and Host Manager applications are now only accessible via
+        <code>localhost</code> by default. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Other">

Modified: tomcat/trunk/webapps/host-manager/META-INF/context.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/host-manager/META-INF/context.xml?rev=1734267&r1=1734266&r2=1734267&view=diff
==============================================================================
--- tomcat/trunk/webapps/host-manager/META-INF/context.xml (original)
+++ tomcat/trunk/webapps/host-manager/META-INF/context.xml Wed Mar  9 15:27:21 
2016
@@ -16,12 +16,6 @@
   limitations under the License.
 -->
 <Context antiResourceLocking="false" privileged="true" >
-  <!--
-    Remove the comment markers from around the Valve below to limit access to
-    the host-manager application to clients connecting from localhost
-  -->
-  <!--
   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
          allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-  -->
 </Context>
\ No newline at end of file

Modified: tomcat/trunk/webapps/host-manager/WEB-INF/jsp/403.jsp
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/host-manager/WEB-INF/jsp/403.jsp?rev=1734267&r1=1734266&r2=1734267&view=diff
==============================================================================
--- tomcat/trunk/webapps/host-manager/WEB-INF/jsp/403.jsp (original)
+++ tomcat/trunk/webapps/host-manager/WEB-INF/jsp/403.jsp Wed Mar  9 15:27:21 
2016
@@ -34,6 +34,11 @@
     You are not authorized to view this page.
    </p>
    <p>
+    By default the Host Manager is only accessible from a browser running on 
the
+    same machine as Tomcat. If you wish to modify this restriction, you'll need
+    to edit the Host Manager's <tt>context.xml</tt> file.
+   </p>
+   <p>
     If you have already configured the Host Manager application to allow access
     and you have used your browsers back button, used a saved book-mark or
     similar then you may have triggered the cross-site request forgery (CSRF)

Modified: tomcat/trunk/webapps/manager/META-INF/context.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/manager/META-INF/context.xml?rev=1734267&r1=1734266&r2=1734267&view=diff
==============================================================================
--- tomcat/trunk/webapps/manager/META-INF/context.xml (original)
+++ tomcat/trunk/webapps/manager/META-INF/context.xml Wed Mar  9 15:27:21 2016
@@ -16,12 +16,6 @@
   limitations under the License.
 -->
 <Context antiResourceLocking="false" privileged="true" >
-  <!--
-    Remove the comment markers from around the Valve below to limit access to
-    the manager application to clients connecting from localhost
-  -->
-  <!--
   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
          allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-  -->
 </Context>

Modified: tomcat/trunk/webapps/manager/WEB-INF/jsp/403.jsp
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/manager/WEB-INF/jsp/403.jsp?rev=1734267&r1=1734266&r2=1734267&view=diff
==============================================================================
--- tomcat/trunk/webapps/manager/WEB-INF/jsp/403.jsp (original)
+++ tomcat/trunk/webapps/manager/WEB-INF/jsp/403.jsp Wed Mar  9 15:27:21 2016
@@ -34,6 +34,11 @@
     You are not authorized to view this page.
    </p>
    <p>
+    By default the Host Manager is only accessible from a browser running on 
the
+    same machine as Tomcat. If you wish to modify this restriction, you'll need
+    to edit the Host Manager's <tt>context.xml</tt> file.
+   </p>
+   <p>
     If you have already configured the Manager application to allow access and
     you have used your browsers back button, used a saved book-mark or similar
     then you may have triggered the cross-site request forgery (CSRF) 
protection



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1734267 - in /tomcat/trunk/webapps: docs/changelog.xml host-manager/META-INF/context.xml host-manager/WEB-INF/jsp/403.jsp manager/META-INF/context.xml manager/WEB-INF/jsp/403.jsp

Reply via email to