Tomcat RESTful URL Management

If you can perform a Tomcat administration function via the GUI Tomcat manager at http://localhost:8080/manager/html (followed
by a username and password) you can perform the same function through the new “REST like” text URL interface.

Yes, check it out with your browser, but this interface is designed for mechanoids. It is a breath of fresh air
for your continuous delivery pipeline and simplicity is its power.

This article walks you through using the Tomcat manager text interface with the below steps

  1. add a text manager role to tomcat-users.xml
  2. review security threats surrounding the Tomcat text interface
  3. build a Tomcat manager text url command

An addendum references each part of the URL to enhance your Tomcat manager text url knowledge.

1. Tomcat Manager Text | How to Configure Role

Look in the example tomcat-users.xml file. A production Tomcat install on Ubuntu (and most Linux flavours) puts this file in /etc/tomcat8.

Click me »

Example t omcat-users.xml configuration file

The above file has a section like this.

 <role rolename="manager-gui"/>
 <role rolename="manager-script"/>
 <user username="admin" password="p455w0rd" roles="manager-gui,manager-script" />

Don’t forget to comma separate the roles manager-gui,manager-script.

Pointless | Adding Another Tomcat User

Adding another tomcat user is pointless because the text interface does not prompt for neither a username nor a password!

This leads us to examine the security threats and vulnerabilities surrounding Tomcat’s text manager interface.

2. Tomcat Manager Text | Security

If you know the security threats and vulnerabilities surround Tomcat’s text manager interface, you can employ the necessary (proportional) prevention and protection mechanisms.

The main threat is using plaintext HTTP urls. This allows anyone with access to an intermediate network to read your URLs and worse still – your passwords when the browser prompts you for it. As well as using the secure HTTPs (SSL) protocol, all web facing Tomcats should be safe-guarded by blocking unauthorised URL access. Employ the usual tactics available in the Apache Web Server, the Tomcat Server, and most “intelligent” firewalls to prevent unauthorized access to this interface.

Take care to prevent file uploads onto your tomcat server. Attackers can upload trojan web applications and then ask Tomcat to deploy it if they have the username and password necessary.

3. Tomcat Manager Text | Use wget to authenticate

You can use wget on Linux to authenticate your tomcat manager URLs from a machine shell window. Subsequent URLs then do not need to have credentials and can be published safely.

wget http://localhost:8080/manager/text/list --http-user=admin --http-password=p455w0rd

The wget comman should produce the following output.

–2016-10-16 21:29:58– http://localhost:8080/manager/text/list
Resolving localhost (localhost)…
Connecting to localhost (localhost)||:8080… connected.
HTTP request sent, awaiting response… 401 Unauthorized
Reusing existing connection to localhost:8080.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/plain]

More importantly – a file called “list” should appear with the following contents (showing the 3 standard web-applications).

OK – Listed applications for virtual host localhost

After the above command – subsequent URLs on the same shell will not require username/password credentials. This command without credentials, now works.

wget http://localhost:8080/manager/text/list

4. Tomcat Manager Text | How to Build Urls

Deploying a WAR file via Tomcat’s text services is the headline feature. Still, you can’t overwrite an in-place web application so knowing the undeploy command is mission critical.

All Tomcat’s text commands are listed so you can proverbially and oxymoronically pick and choose.

Deploy Web Application WAR File into Tomcat Command


OK - Deployed application at context path /

Undeploy the ROOT Web Application


OK - Undeployed application at context path /

List the Applications Managed By Tomcat


Capture Host (Server) Information


The reply will look something like this.

OK - Server info
Tomcat Version: Apache Tomcat/8.0.32 (Ubuntu)
OS Name: Linux
OS Version: 4.4.0-38-generic
OS Architecture: amd64
JVM Version: 1.8.0_91-b14
JVM Vendor: Oracle Corporation

View Summary of Web App Sessions


Common Errors from Tomcat Manager Text Interface

The common errors ejected by the Tomcat text manager service are below.

  • FAIL - Unknown command /text – if no question-mark command provided
  • FAIL - Invalid context path null was specified – if no “path” specified
  • FAIL - Failed to deploy application at context path /explorer-0.00.006 – Solution – “war” parameter is a (http) url
  • FAIL - Application already exists at path / – you must undeploy the app (ROOT)

Leave a Reply

Your email address will not be published. Required fields are marked *