Author: markt Date: Sat Oct 17 19:25:11 2009 New Revision: 826294 URL: http://svn.apache.org/viewvc?rev=826294&view=rev Log: Part 1 of CSRF protection for host manager. Move text interface from / to /text, add extra role for /text. Port 401.jsp and 404.jsp from manager.
Added: tomcat/trunk/webapps/host-manager/401.jsp tomcat/trunk/webapps/host-manager/404.jsp Modified: tomcat/trunk/webapps/host-manager/WEB-INF/web.xml Added: tomcat/trunk/webapps/host-manager/401.jsp URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/host-manager/401.jsp?rev=826294&view=auto ============================================================================== --- tomcat/trunk/webapps/host-manager/401.jsp (added) +++ tomcat/trunk/webapps/host-manager/401.jsp Sat Oct 17 19:25:11 2009 @@ -0,0 +1,62 @@ +<%-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--%> +<% + response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Host Manager Application\""); +%> +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> +<html> + <head> + <title>401 Unauthorized</title> + <style type="text/css"> + <!-- + BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;} + H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} + PRE, TT {border: 1px dotted #525D76} + A {color : black;}A.name {color : black;} + --> + </style> + </head> + <body> + <h1>401 Unauthorized</h1> + <p> + You are not authorized to view this page. If you have not changed + any configuration files, please examine the file + <tt>conf/tomcat-users.xml</tt> in your installation. That + file must contain the credentials to let you use this webapp. + </p> + <p> + For example, to add the <tt>admin</tt> role to a user named + <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the + config file listed above. + </p> +<pre> +<role rolename="admin"/> +<user username="tomcat" password="s3cret" roles="admin"/> +</pre> + <p> + Note that for Tomcat 7 onwards, the roles required to use the host manager + application were changed from the single <tt>admin</tt> role to the + following two roles. You will need to assign the role(s) required for + the functionality you wish to access. + </p> + <ul> + <li><tt>admin</tt> - allows access to the HTML GUI</li> + <li><tt>admin-script</tt> - allows access to the text interface</li> + </ul> + </body> + +</html> Added: tomcat/trunk/webapps/host-manager/404.jsp URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/host-manager/404.jsp?rev=826294&view=auto ============================================================================== --- tomcat/trunk/webapps/host-manager/404.jsp (added) +++ tomcat/trunk/webapps/host-manager/404.jsp Sat Oct 17 19:25:11 2009 @@ -0,0 +1,61 @@ +<%-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--%> +<%@ page import="org.apache.catalina.util.RequestUtil" %> +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> +<html> + <head> + <title>404 Not found</title> + <style type="text/css"> + <!-- + BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;} + H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} + PRE, TT {border: 1px dotted #525D76} + A {color : black;}A.name {color : black;} + --> + </style> + </head> + <body> + <h1>404 Not found</h1> + <p> + The page you tried to access + (<%=RequestUtil.filter((String) request.getAttribute( + "javax.servlet.error.request_uri"))%>) + does not exist. + </p> + <p> + The Host Manager application has been re-structured for Tomcat 7 onwards and some + of URLs have changed. All URLs used to access the Manager application should + now start with one of the following options: + </p> + <ul> + <li><%=request.getContextPath()%>/html for the HTML GUI</li> + <li><%=request.getContextPath()%>/text for the text interface</li> + </ul> + <p> + Note that the URL for the text interface has changed from + "<%=request.getContextPath()%>" to + "<%=request.getContextPath()%>/text". + </p> + <p> + You probably need to adjust the URL you are using to access the Host Manager + application. However, there is always a chance you have found a bug in the + Host Manager application. If you are sure you have found a bug, and that the + bug has not already been reported, please report it to the Apache Tomcat + team. + </p> + </body> +</html> Modified: tomcat/trunk/webapps/host-manager/WEB-INF/web.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/host-manager/WEB-INF/web.xml?rev=826294&r1=826293&r2=826294&view=diff ============================================================================== --- tomcat/trunk/webapps/host-manager/WEB-INF/web.xml (original) +++ tomcat/trunk/webapps/host-manager/WEB-INF/web.xml Sat Oct 17 19:25:11 2009 @@ -53,23 +53,7 @@ <!-- Define the Manager Servlet Mapping --> <servlet-mapping> <servlet-name>HostManager</servlet-name> - <url-pattern>/list</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>HostManager</servlet-name> - <url-pattern>/add</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>HostManager</servlet-name> - <url-pattern>/remove</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>HostManager</servlet-name> - <url-pattern>/start</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>HostManager</servlet-name> - <url-pattern>/stop</url-pattern> + <url-pattern>/text/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>HTMLHostManager</servlet-name> @@ -79,13 +63,18 @@ <!-- Define a Security Constraint on this Application --> <security-constraint> <web-resource-collection> - <web-resource-name>HTMLHostManager and HostManager commands</web-resource-name> + <web-resource-name>HostManager commands</web-resource-name> + <url-pattern>/text/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <!-- NOTE: This role is not present in the default users file --> + <role-name>admin-script</role-name> + </auth-constraint> + </security-constraint> + <security-constraint> + <web-resource-collection> + <web-resource-name>HTMLHostManager commands</web-resource-name> <url-pattern>/html/*</url-pattern> - <url-pattern>/list</url-pattern> - <url-pattern>/add</url-pattern> - <url-pattern>/remove</url-pattern> - <url-pattern>/start</url-pattern> - <url-pattern>/stop</url-pattern> </web-resource-collection> <auth-constraint> <!-- NOTE: This role is not present in the default users file --> @@ -102,9 +91,26 @@ <!-- Security roles referenced by this web application --> <security-role> <description> - The role that is required to log in to the Manager Application + The role that is required to log in to the Host Manager Application HTML + interface </description> <role-name>admin</role-name> </security-role> + <security-role> + <description> + The role that is required to log in to the Host Manager Application text + interface + </description> + <role-name>admin-script</role-name> + </security-role> + <error-page> + <error-code>401</error-code> + <location>/401.jsp</location> + </error-page> + <error-page> + <error-code>404</error-code> + <location>/404.jsp</location> + </error-page> + </web-app> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org