From: markt Date: Sat, 17 Oct 2009 19:25:11 +0000 (+0000) Subject: Part 1 of CSRF protection for host manager. Move text interface from / to /text,... X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=02b00a1daef19347b6a4dcb4668ec8b2a1d9c860;p=tomcat7.0 Part 1 of CSRF protection for host manager. Move text interface from / to /text, add extra role for /text. Port 401.jsp and 404.jsp from manager. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@826294 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/webapps/host-manager/401.jsp b/webapps/host-manager/401.jsp new file mode 100644 index 000000000..db9b03a08 --- /dev/null +++ b/webapps/host-manager/401.jsp @@ -0,0 +1,62 @@ +<%-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--%> +<% + response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Host Manager Application\""); +%> + + + + 401 Unauthorized + + + +

401 Unauthorized

+ You are not authorized to view this page. If you have not changed + any configuration files, please examine the file + conf/tomcat-users.xml in your installation. That + file must contain the credentials to let you use this webapp. +

+ For example, to add the admin role to a user named + tomcat with a password of s3cret, add the following to the + config file listed above. +

+<role rolename="admin"/>
+<user username="tomcat" password="s3cret" roles="admin"/>
+

+ Note that for Tomcat 7 onwards, the roles required to use the host manager + application were changed from the single admin role to the + following two roles. You will need to assign the role(s) required for + the functionality you wish to access. +

admin - allows access to the HTML GUI
admin-script - allows access to the text interface

+ + + diff --git a/webapps/host-manager/404.jsp b/webapps/host-manager/404.jsp new file mode 100644 index 000000000..f2b74ba4a --- /dev/null +++ b/webapps/host-manager/404.jsp @@ -0,0 +1,61 @@ +<%-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--%> +<%@ page import="org.apache.catalina.util.RequestUtil" %> + + + + 404 Not found + + + +

404 Not found

+ The page you tried to access + (<%=RequestUtil.filter((String) request.getAttribute( + "javax.servlet.error.request_uri"))%>) + does not exist. +

+ The Host Manager application has been re-structured for Tomcat 7 onwards and some + of URLs have changed. All URLs used to access the Manager application should + now start with one of the following options: +

<%=request.getContextPath()%>/html for the HTML GUI
<%=request.getContextPath()%>/text for the text interface

+ Note that the URL for the text interface has changed from + "<%=request.getContextPath()%>" to + "<%=request.getContextPath()%>/text". +

+ You probably need to adjust the URL you are using to access the Host Manager + application. However, there is always a chance you have found a bug in the + Host Manager application. If you are sure you have found a bug, and that the + bug has not already been reported, please report it to the Apache Tomcat + team. +

+ + diff --git a/webapps/host-manager/WEB-INF/web.xml b/webapps/host-manager/WEB-INF/web.xml index 8aaf2c665..ffd5e3a48 100644 --- a/webapps/host-manager/WEB-INF/web.xml +++ b/webapps/host-manager/WEB-INF/web.xml @@ -53,23 +53,7 @@ HostManager - /list - - - HostManager - /add - - - HostManager - /remove - - - HostManager - /start - - - HostManager - /stop + /text/*

HTMLHostManager @@ -79,13 +63,18 @@ - HTMLHostManager and HostManager commands + HostManager commands + /text/* + + + + admin-script + + + + + HTMLHostManager commands /html/* - /list - /add - /remove - /start - /stop

@@ -102,9 +91,26 @@ - The role that is required to log in to the Manager Application + The role that is required to log in to the Host Manager Application HTML + interface

admin

+ + + The role that is required to log in to the Host Manager Application text + interface + + admin-script + + + 401 + /401.jsp + + + 404 + /404.jsp + +