Author: markt
Date: Sat Oct 17 19:25:11 2009
New Revision: 826294
URL: http://svn.apache.org/viewvc?rev=826294&view=rev
Log:
Part 1 of CSRF protection for host manager. Move text interface from / to
/text, add extra role for /text. Port 401.jsp and 404.jsp from manager.
Added:
tomcat/trunk/webapps/host-manager/401.jsp
tomcat/trunk/webapps/host-manager/404.jsp
Modified:
tomcat/trunk/webapps/host-manager/WEB-INF/web.xml
Added: tomcat/trunk/webapps/host-manager/401.jsp
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/host-manager/401.jsp?rev=826294&view=auto
==============================================================================
--- tomcat/trunk/webapps/host-manager/401.jsp (added)
+++ tomcat/trunk/webapps/host-manager/401.jsp Sat Oct 17 19:25:11 2009
@@ -0,0 +1,62 @@
+<%--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+--%>
+<%
+ response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Host Manager
Application\"");
+%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd";>
+<html>
+ <head>
+ <title>401 Unauthorized</title>
+ <style type="text/css">
+ <!--
+ BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
+ H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
+ PRE, TT {border: 1px dotted #525D76}
+ A {color : black;}A.name {color : black;}
+ -->
+ </style>
+ </head>
+ <body>
+ <h1>401 Unauthorized</h1>
+ <p>
+ You are not authorized to view this page. If you have not changed
+ any configuration files, please examine the file
+ <tt>conf/tomcat-users.xml</tt> in your installation. That
+ file must contain the credentials to let you use this webapp.
+ </p>
+ <p>
+ For example, to add the <tt>admin</tt> role to a user named
+ <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to
the
+ config file listed above.
+ </p>
+<pre>
+<role rolename="admin"/>
+<user username="tomcat" password="s3cret" roles="admin"/>
+</pre>
+ <p>
+ Note that for Tomcat 7 onwards, the roles required to use the host manager
+ application were changed from the single <tt>admin</tt> role to the
+ following two roles. You will need to assign the role(s) required for
+ the functionality you wish to access.
+ </p>
+ <ul>
+ <li><tt>admin</tt> - allows access to the HTML GUI</li>
+ <li><tt>admin-script</tt> - allows access to the text interface</li>
+ </ul>
+ </body>
+
+</html>
Added: tomcat/trunk/webapps/host-manager/404.jsp
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/host-manager/404.jsp?rev=826294&view=auto
==============================================================================
--- tomcat/trunk/webapps/host-manager/404.jsp (added)
+++ tomcat/trunk/webapps/host-manager/404.jsp Sat Oct 17 19:25:11 2009
@@ -0,0 +1,61 @@
+<%--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+--%>
+<%@ page import="org.apache.catalina.util.RequestUtil" %>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd";>
+<html>
+ <head>
+ <title>404 Not found</title>
+ <style type="text/css">
+ <!--
+ BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
+ H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
+ PRE, TT {border: 1px dotted #525D76}
+ A {color : black;}A.name {color : black;}
+ -->
+ </style>
+ </head>
+ <body>
+ <h1>404 Not found</h1>
+ <p>
+ The page you tried to access
+ (<%=RequestUtil.filter((String) request.getAttribute(
+ "javax.servlet.error.request_uri"))%>)
+ does not exist.
+ </p>
+ <p>
+ The Host Manager application has been re-structured for Tomcat 7 onwards
and some
+ of URLs have changed. All URLs used to access the Manager application
should
+ now start with one of the following options:
+ </p>
+ <ul>
+ <li><%=request.getContextPath()%>/html for the HTML GUI</li>
+ <li><%=request.getContextPath()%>/text for the text interface</li>
+ </ul>
+ <p>
+ Note that the URL for the text interface has changed from
+ "<%=request.getContextPath()%>" to
+ "<%=request.getContextPath()%>/text".
+ </p>
+ <p>
+ You probably need to adjust the URL you are using to access the Host
Manager
+ application. However, there is always a chance you have found a bug in the
+ Host Manager application. If you are sure you have found a bug, and that
the
+ bug has not already been reported, please report it to the Apache Tomcat
+ team.
+ </p>
+ </body>
+</html>
Modified: tomcat/trunk/webapps/host-manager/WEB-INF/web.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/host-manager/WEB-INF/web.xml?rev=826294&r1=826293&r2=826294&view=diff
==============================================================================
--- tomcat/trunk/webapps/host-manager/WEB-INF/web.xml (original)
+++ tomcat/trunk/webapps/host-manager/WEB-INF/web.xml Sat Oct 17 19:25:11 2009
@@ -53,23 +53,7 @@
<!-- Define the Manager Servlet Mapping -->
<servlet-mapping>
<servlet-name>HostManager</servlet-name>
- <url-pattern>/list</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>HostManager</servlet-name>
- <url-pattern>/add</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>HostManager</servlet-name>
- <url-pattern>/remove</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>HostManager</servlet-name>
- <url-pattern>/start</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>HostManager</servlet-name>
- <url-pattern>/stop</url-pattern>
+ <url-pattern>/text/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>HTMLHostManager</servlet-name>
@@ -79,13 +63,18 @@
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
- <web-resource-name>HTMLHostManager and HostManager
commands</web-resource-name>
+ <web-resource-name>HostManager commands</web-resource-name>
+ <url-pattern>/text/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <!-- NOTE: This role is not present in the default users file -->
+ <role-name>admin-script</role-name>
+ </auth-constraint>
+ </security-constraint>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>HTMLHostManager commands</web-resource-name>
<url-pattern>/html/*</url-pattern>
- <url-pattern>/list</url-pattern>
- <url-pattern>/add</url-pattern>
- <url-pattern>/remove</url-pattern>
- <url-pattern>/start</url-pattern>
- <url-pattern>/stop</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
@@ -102,9 +91,26 @@
<!-- Security roles referenced by this web application -->
<security-role>
<description>
- The role that is required to log in to the Manager Application
+ The role that is required to log in to the Host Manager Application HTML
+ interface
</description>
<role-name>admin</role-name>
</security-role>
+ <security-role>
+ <description>
+ The role that is required to log in to the Host Manager Application text
+ interface
+ </description>
+ <role-name>admin-script</role-name>
+ </security-role>
+ <error-page>
+ <error-code>401</error-code>
+ <location>/401.jsp</location>
+ </error-page>
+ <error-page>
+ <error-code>404</error-code>
+ <location>/404.jsp</location>
+ </error-page>
+
</web-app>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
