Tomcat RESTful URL Management
If you can perform a Tomcat administration function via the GUI Tomcat manager at
by a username and password) you can perform the same function through the new “REST like” text URL interface.
Yes, check it out with your browser, but this interface is designed for mechanoids. It is a breath of fresh air
for your continuous delivery pipeline and simplicity is its power.
This article walks you through using the Tomcat manager text interface with the below steps
- add a text manager role to tomcat-users.xml
- review security threats surrounding the Tomcat text interface
- build a Tomcat manager text url command
An addendum references each part of the URL to enhance your Tomcat manager text url knowledge.
1. Tomcat Manager Text | How to Configure Role
Look in the example
tomcat-users.xml file. A production Tomcat install on Ubuntu (and most Linux flavours) puts this file in
Click me »
Example t omcat-users.xml configuration file
The above file has a section like this.
<role rolename="manager-gui"/> <role rolename="manager-script"/> <user username="admin" password="p455w0rd" roles="manager-gui,manager-script" />
Don’t forget to comma separate the roles
Pointless | Adding Another Tomcat User
Adding another tomcat user is pointless because the text interface does not prompt for neither a username nor a password!
This leads us to examine the security threats and vulnerabilities surrounding Tomcat’s text manager interface.
2. Tomcat Manager Text | Security
If you know the security threats and vulnerabilities surround Tomcat’s text manager interface, you can employ the necessary (proportional) prevention and protection mechanisms.
The main threat is using plaintext HTTP urls. This allows anyone with access to an intermediate network to read your URLs and worse still – your passwords when the browser prompts you for it. As well as using the secure HTTPs (SSL) protocol, all web facing Tomcats should be safe-guarded by blocking unauthorised URL access. Employ the usual tactics available in the Apache Web Server, the Tomcat Server, and most “intelligent” firewalls to prevent unauthorized access to this interface.
Take care to prevent file uploads onto your tomcat server. Attackers can upload trojan web applications and then ask Tomcat to deploy it if they have the username and password necessary.
3. Tomcat Manager Text | Use wget to authenticate
You can use wget on Linux to authenticate your tomcat manager URLs from a machine shell window. Subsequent URLs then do not need to have credentials and can be published safely.
wget http://localhost:8080/manager/text/list --http-user=admin --http-password=p455w0rd
The wget comman should produce the following output.
–2016-10-16 21:29:58– http://localhost:8080/manager/text/list
Resolving localhost (localhost)… 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8080… connected.
HTTP request sent, awaiting response… 401 Unauthorized
Reusing existing connection to localhost:8080.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/plain]
More importantly – a file called “list” should appear with the following contents (showing the 3 standard web-applications).
OK – Listed applications for virtual host localhost
After the above command – subsequent URLs on the same shell will not require username/password credentials. This command without credentials, now works.
4. Tomcat Manager Text | How to Build Urls
Deploying a WAR file via Tomcat’s text services is the headline feature. Still, you can’t overwrite an in-place web application so knowing the undeploy command is mission critical.
All Tomcat’s text commands are listed so you can proverbially and oxymoronically pick and choose.
Deploy Web Application WAR File into Tomcat Command
OK - Deployed application at context path /
Undeploy the ROOT Web Application
OK - Undeployed application at context path /
List the Applications Managed By Tomcat
Capture Host (Server) Information
The reply will look something like this.
OK - Server info
Tomcat Version: Apache Tomcat/8.0.32 (Ubuntu)
OS Name: Linux
OS Version: 4.4.0-38-generic
OS Architecture: amd64
JVM Version: 1.8.0_91-b14
JVM Vendor: Oracle Corporation
View Summary of Web App Sessions
Common Errors from Tomcat Manager Text Interface
The common errors ejected by the Tomcat text manager service are below.
FAIL - Unknown command /text– if no question-mark command provided
FAIL - Invalid context path null was specified– if no “path” specified
FAIL - Failed to deploy application at context path /explorer-0.00.006– Solution – “war” parameter is a (http) url
FAIL - Application already exists at path /– you must undeploy the app (ROOT)