From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Tue, 22 Mar 2011 08:57:12 +0000 (+0000)
Subject: Prevent the custom error pages for the Manager and Host Manager applications from... 
X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=60dd51771625216ca134e48485c8cbf28f0c2aac;p=tomcat7.0

Prevent the custom error pages for the Manager and Host Manager applications from being accessed directly.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1084109 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3dca0286d..929a1b2d4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -126,6 +126,10 @@
         Align the authenticator documentation and MBean descriptors with the
         implementation. (markt)
       </fix>
+      <fix>
+        Prevent the custom error pages for the Manager and Host Manager
+        applications from being accessed directly. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">
diff --git a/webapps/host-manager/401.jsp b/webapps/host-manager/401.jsp
deleted file mode 100644
index 83c8c6f32..000000000
--- a/webapps/host-manager/401.jsp
+++ /dev/null
@@ -1,70 +0,0 @@
-<%--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
---%>
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
-<html>
- <head>
-  <title>401 Unauthorized</title>
-  <style type="text/css">
-    <!--
-    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
-    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
-    PRE, TT {border: 1px dotted #525D76}
-    A {color : black;}A.name {color : black;}
-    -->
-  </style>
- </head>
- <body>
-   <h1>401 Unauthorized</h1>
-   <p>
-    You are not authorized to view this page. If you have not changed
-    any configuration files, please examine the file
-    <tt>conf/tomcat-users.xml</tt> in your installation. That
-    file must contain the credentials to let you use this webapp.
-   </p>
-   <p>
-    For example, to add the <tt>admin-gui</tt> role to a user named
-    <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
-    config file listed above.
-   </p>
-<pre>
-&lt;role rolename="admin-gui"/&gt;
-&lt;user username="tomcat" password="s3cret" roles="admin-gui"/&gt;
-</pre>
-   <p>
-    Note that for Tomcat 7 onwards, the roles required to use the host manager
-    application were changed from the single <tt>admin</tt> role to the
-    following two roles. You will need to assign the role(s) required for
-    the functionality you wish to access.
-   </p>
-    <ul>
-      <li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
-      <li><tt>admin-script</tt> - allows access to the text interface</li>
-    </ul>
-   <p>
-    The HTML interface is protected against CSRF but the text interface is not.
-    To maintain the CSRF protection:
-   </p>
-   <ul>
-    <li>Users with the <tt>admin-gui</tt> role should not be granted the
-       <tt>admin-script</tt> role.</li>
-    <li>If the text interface is accessed through a browser (e.g. for testing
-        since this interface is intended for tools not humans) then the browser
-        must be closed afterwards to terminate the session.</li>
-   </ul>
- </body>
-
-</html>
diff --git a/webapps/host-manager/403.jsp b/webapps/host-manager/403.jsp
deleted file mode 100644
index dd210ceb1..000000000
--- a/webapps/host-manager/403.jsp
+++ /dev/null
@@ -1,84 +0,0 @@
-<%--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
---%>
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
-<html>
- <head>
-  <title>403 Access Denied</title>
-  <style type="text/css">
-    <!--
-    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
-    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
-    PRE, TT {border: 1px dotted #525D76}
-    A {color : black;}A.name {color : black;}
-    -->
-  </style>
- </head>
- <body>
-   <h1>403 Access Denied</h1>
-   <p>
-    You are not authorized to view this page.
-   </p>
-   <p>
-    If you have already configured the Host Manager application to allow access
-    and you have used your browsers back button, used a saved book-mark or
-    similar then you may have triggered the cross-site request forgery (CSRF)
-    protection that has been enabled for the HTML interface of the Host Manager
-    application. You will need to reset this protection by returning to the 
-    <a href="<%=request.getContextPath()%>/html">main Host Manager page</a>.
-    Once you return to this page, you will be able to continue using the Host
-    Manager appliction's HTML interface normally. If you continue to see this
-    access denied message, check that you have the necessary permissions to
-    access this application.
-   </p>
-   <p> If you have not changed
-    any configuration files, please examine the file
-    <tt>conf/tomcat-users.xml</tt> in your installation. That
-    file must contain the credentials to let you use this webapp.
-   </p>
-   <p>
-    For example, to add the <tt>admin-gui</tt> role to a user named
-    <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
-    config file listed above.
-   </p>
-<pre>
-&lt;role rolename="admin-gui"/&gt;
-&lt;user username="tomcat" password="s3cret" roles="admin-gui"/&gt;
-</pre>
-   <p>
-    Note that for Tomcat 7 onwards, the roles required to use the host manager
-    application were changed from the single <tt>admin</tt> role to the
-    following two roles. You will need to assign the role(s) required for
-    the functionality you wish to access.
-   </p>
-    <ul>
-      <li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
-      <li><tt>admin-script</tt> - allows access to the text interface</li>
-    </ul>
-   <p>
-    The HTML interface is protected against CSRF but the text interface is not.
-    To maintain the CSRF protection:
-   </p>
-   <ul>
-    <li>Users with the <tt>admin-gui</tt> role should not be granted the
-       <tt>admin-script</tt> role.</li>
-    <li>If the text interface is accessed through a browser (e.g. for testing
-        since this interface is intended for tools not humans) then the browser
-        must be closed afterwards to terminate the session.</li>
-   </ul>
- </body>
-
-</html>
diff --git a/webapps/host-manager/404.jsp b/webapps/host-manager/404.jsp
deleted file mode 100644
index d1b5b0b09..000000000
--- a/webapps/host-manager/404.jsp
+++ /dev/null
@@ -1,61 +0,0 @@
-<%--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
---%>
-<%@ page import="org.apache.catalina.util.RequestUtil" %>
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
-<html>
- <head>
-  <title>404 Not found</title>
-  <style type="text/css">
-    <!--
-    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
-    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
-    PRE, TT {border: 1px dotted #525D76}
-    A {color : black;}A.name {color : black;}
-    -->
-  </style>
- </head>
- <body>
-   <h1>404 Not found</h1>
-   <p>
-    The page you tried to access
-    (<%=RequestUtil.filter((String) request.getAttribute(
-            "javax.servlet.error.request_uri"))%>)
-    does not exist.
-   </p>
-   <p>
-    The Host Manager application has been re-structured for Tomcat 7 onwards and
-    some URLs have changed. All URLs used to access the Manager application
-    should now start with one of the following options:
-   </p>
-    <ul>
-      <li><%=request.getContextPath()%>/html for the HTML GUI</li>
-      <li><%=request.getContextPath()%>/text for the text interface</li>
-    </ul>
-   <p>
-    Note that the URL for the text interface has changed from
-    &quot;<%=request.getContextPath()%>&quot; to
-    &quot;<%=request.getContextPath()%>/text&quot;.
-   </p>
-   <p>
-    You probably need to adjust the URL you are using to access the Host Manager
-    application. However, there is always a chance you have found a bug in the
-    Host Manager application. If you are sure you have found a bug, and that the
-    bug has not already been reported, please report it to the Apache Tomcat
-    team.
-   </p>
- </body>
-</html>
diff --git a/webapps/host-manager/WEB-INF/jsp/401.jsp b/webapps/host-manager/WEB-INF/jsp/401.jsp
new file mode 100644
index 000000000..83c8c6f32
--- /dev/null
+++ b/webapps/host-manager/WEB-INF/jsp/401.jsp
@@ -0,0 +1,70 @@
+<%--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+--%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>401 Unauthorized</title>
+  <style type="text/css">
+    <!--
+    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
+    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
+    PRE, TT {border: 1px dotted #525D76}
+    A {color : black;}A.name {color : black;}
+    -->
+  </style>
+ </head>
+ <body>
+   <h1>401 Unauthorized</h1>
+   <p>
+    You are not authorized to view this page. If you have not changed
+    any configuration files, please examine the file
+    <tt>conf/tomcat-users.xml</tt> in your installation. That
+    file must contain the credentials to let you use this webapp.
+   </p>
+   <p>
+    For example, to add the <tt>admin-gui</tt> role to a user named
+    <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
+    config file listed above.
+   </p>
+<pre>
+&lt;role rolename="admin-gui"/&gt;
+&lt;user username="tomcat" password="s3cret" roles="admin-gui"/&gt;
+</pre>
+   <p>
+    Note that for Tomcat 7 onwards, the roles required to use the host manager
+    application were changed from the single <tt>admin</tt> role to the
+    following two roles. You will need to assign the role(s) required for
+    the functionality you wish to access.
+   </p>
+    <ul>
+      <li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
+      <li><tt>admin-script</tt> - allows access to the text interface</li>
+    </ul>
+   <p>
+    The HTML interface is protected against CSRF but the text interface is not.
+    To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>Users with the <tt>admin-gui</tt> role should not be granted the
+       <tt>admin-script</tt> role.</li>
+    <li>If the text interface is accessed through a browser (e.g. for testing
+        since this interface is intended for tools not humans) then the browser
+        must be closed afterwards to terminate the session.</li>
+   </ul>
+ </body>
+
+</html>
diff --git a/webapps/host-manager/WEB-INF/jsp/403.jsp b/webapps/host-manager/WEB-INF/jsp/403.jsp
new file mode 100644
index 000000000..dd210ceb1
--- /dev/null
+++ b/webapps/host-manager/WEB-INF/jsp/403.jsp
@@ -0,0 +1,84 @@
+<%--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+--%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>403 Access Denied</title>
+  <style type="text/css">
+    <!--
+    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
+    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
+    PRE, TT {border: 1px dotted #525D76}
+    A {color : black;}A.name {color : black;}
+    -->
+  </style>
+ </head>
+ <body>
+   <h1>403 Access Denied</h1>
+   <p>
+    You are not authorized to view this page.
+   </p>
+   <p>
+    If you have already configured the Host Manager application to allow access
+    and you have used your browsers back button, used a saved book-mark or
+    similar then you may have triggered the cross-site request forgery (CSRF)
+    protection that has been enabled for the HTML interface of the Host Manager
+    application. You will need to reset this protection by returning to the 
+    <a href="<%=request.getContextPath()%>/html">main Host Manager page</a>.
+    Once you return to this page, you will be able to continue using the Host
+    Manager appliction's HTML interface normally. If you continue to see this
+    access denied message, check that you have the necessary permissions to
+    access this application.
+   </p>
+   <p> If you have not changed
+    any configuration files, please examine the file
+    <tt>conf/tomcat-users.xml</tt> in your installation. That
+    file must contain the credentials to let you use this webapp.
+   </p>
+   <p>
+    For example, to add the <tt>admin-gui</tt> role to a user named
+    <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
+    config file listed above.
+   </p>
+<pre>
+&lt;role rolename="admin-gui"/&gt;
+&lt;user username="tomcat" password="s3cret" roles="admin-gui"/&gt;
+</pre>
+   <p>
+    Note that for Tomcat 7 onwards, the roles required to use the host manager
+    application were changed from the single <tt>admin</tt> role to the
+    following two roles. You will need to assign the role(s) required for
+    the functionality you wish to access.
+   </p>
+    <ul>
+      <li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
+      <li><tt>admin-script</tt> - allows access to the text interface</li>
+    </ul>
+   <p>
+    The HTML interface is protected against CSRF but the text interface is not.
+    To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>Users with the <tt>admin-gui</tt> role should not be granted the
+       <tt>admin-script</tt> role.</li>
+    <li>If the text interface is accessed through a browser (e.g. for testing
+        since this interface is intended for tools not humans) then the browser
+        must be closed afterwards to terminate the session.</li>
+   </ul>
+ </body>
+
+</html>
diff --git a/webapps/host-manager/WEB-INF/jsp/404.jsp b/webapps/host-manager/WEB-INF/jsp/404.jsp
new file mode 100644
index 000000000..d1b5b0b09
--- /dev/null
+++ b/webapps/host-manager/WEB-INF/jsp/404.jsp
@@ -0,0 +1,61 @@
+<%--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+--%>
+<%@ page import="org.apache.catalina.util.RequestUtil" %>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>404 Not found</title>
+  <style type="text/css">
+    <!--
+    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
+    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
+    PRE, TT {border: 1px dotted #525D76}
+    A {color : black;}A.name {color : black;}
+    -->
+  </style>
+ </head>
+ <body>
+   <h1>404 Not found</h1>
+   <p>
+    The page you tried to access
+    (<%=RequestUtil.filter((String) request.getAttribute(
+            "javax.servlet.error.request_uri"))%>)
+    does not exist.
+   </p>
+   <p>
+    The Host Manager application has been re-structured for Tomcat 7 onwards and
+    some URLs have changed. All URLs used to access the Manager application
+    should now start with one of the following options:
+   </p>
+    <ul>
+      <li><%=request.getContextPath()%>/html for the HTML GUI</li>
+      <li><%=request.getContextPath()%>/text for the text interface</li>
+    </ul>
+   <p>
+    Note that the URL for the text interface has changed from
+    &quot;<%=request.getContextPath()%>&quot; to
+    &quot;<%=request.getContextPath()%>/text&quot;.
+   </p>
+   <p>
+    You probably need to adjust the URL you are using to access the Host Manager
+    application. However, there is always a chance you have found a bug in the
+    Host Manager application. If you are sure you have found a bug, and that the
+    bug has not already been reported, please report it to the Apache Tomcat
+    team.
+   </p>
+ </body>
+</html>
diff --git a/webapps/host-manager/WEB-INF/web.xml b/webapps/host-manager/WEB-INF/web.xml
index 3a928c0f6..7177ffe2c 100644
--- a/webapps/host-manager/WEB-INF/web.xml
+++ b/webapps/host-manager/WEB-INF/web.xml
@@ -116,15 +116,15 @@
 
   <error-page>
     <error-code>401</error-code>
-    <location>/401.jsp</location>
+    <location>/WEB-INF/jsp/401.jsp</location>
   </error-page>
   <error-page>
     <error-code>403</error-code>
-    <location>/403.jsp</location>
+    <location>/WEB-INF/jsp/403.jsp</location>
   </error-page>
   <error-page>
     <error-code>404</error-code>
-    <location>/404.jsp</location>
+    <location>/WEB-INF/jsp/404.jsp</location>
   </error-page>
   
 </web-app>
diff --git a/webapps/manager/401.jsp b/webapps/manager/401.jsp
deleted file mode 100644
index 01f8aa9fc..000000000
--- a/webapps/manager/401.jsp
+++ /dev/null
@@ -1,79 +0,0 @@
-<%--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
---%>
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
-<html>
- <head>
-  <title>401 Unauthorized</title>
-  <style type="text/css">
-    <!--
-    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
-    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
-    PRE, TT {border: 1px dotted #525D76}
-    A {color : black;}A.name {color : black;}
-    -->
-  </style>
- </head>
- <body>
-   <h1>401 Unauthorized</h1>
-   <p>
-    You are not authorized to view this page. If you have not changed
-    any configuration files, please examine the file
-    <tt>conf/tomcat-users.xml</tt> in your installation. That
-    file must contain the credentials to let you use this webapp.
-   </p>
-   <p>
-    For example, to add the <tt>manager-gui</tt> role to a user named
-    <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
-    config file listed above.
-   </p>
-<pre>
-&lt;role rolename="manager-gui"/&gt;
-&lt;user username="tomcat" password="s3cret" roles="manager-gui"/&gt;
-</pre>
-   <p>
-    Note that for Tomcat 7 onwards, the roles required to use the manager
-    application were changed from the single <tt>manager</tt> role to the
-    following four roles. You will need to assign the role(s) required for
-    the functionality you wish to access.
-   </p>
-    <ul>
-      <li><tt>manager-gui</tt> - allows access to the HTML GUI and the status
-          pages</li>
-      <li><tt>manager-script</tt> - allows access to the text interface and the
-          status pages</li>
-      <li><tt>manager-jmx</tt> - allows access to the JMX proxy and the status
-          pages</li>
-      <li><tt>manager-status</tt> - allows access to the status pages only</li>
-    </ul>
-   <p>
-    The HTML interface is protected against CSRF but the text and JMX interfaces
-    are not. To maintain the CSRF protection:
-   </p>
-   <ul>
-    <li>Users with the <tt>manager-gui</tt> role should not be granted either
-        the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
-    <li>If the text or jmx interfaces are accessed through a browser (e.g. for
-        testing since these interfaces are intended for tools not humans) then
-        the browser must be closed afterwards to terminate the session.</li>
-   </ul>
-   <p>
-    For more information - please see the
-    <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
-   </p>
- </body>
-
-</html>
diff --git a/webapps/manager/403.jsp b/webapps/manager/403.jsp
deleted file mode 100644
index a77a9cffc..000000000
--- a/webapps/manager/403.jsp
+++ /dev/null
@@ -1,94 +0,0 @@
-<%--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
---%>
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
-<html>
- <head>
-  <title>403 Access Denied</title>
-  <style type="text/css">
-    <!--
-    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
-    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
-    PRE, TT {border: 1px dotted #525D76}
-    A {color : black;}A.name {color : black;}
-    -->
-  </style>
- </head>
- <body>
-   <h1>403 Access Denied</h1>
-   <p>
-    You are not authorized to view this page.
-   </p>
-   <p>
-    If you have already configured the Manager application to allow access and
-    you have used your browsers back button, used a saved book-mark or similar
-    then you may have triggered the cross-site request forgery (CSRF) protection
-    that has been enabled for the HTML interface of the Manager application. You
-    will need to reset this protection by returning to the 
-    <a href="<%=request.getContextPath()%>/html">main Manager page</a>. Once you
-    return to this page, you will be able to continue using the Manager
-    appliction's HTML interface normally. If you continue to see this access
-    denied message, check that you have the necessary permissions to access this
-    application.
-   </p>
-   <p>
-    If you have not changed
-    any configuration files, please examine the file
-    <tt>conf/tomcat-users.xml</tt> in your installation. That
-    file must contain the credentials to let you use this webapp.
-   </p>
-   <p>
-    For example, to add the <tt>manager-gui</tt> role to a user named
-    <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
-    config file listed above.
-   </p>
-<pre>
-&lt;role rolename="manager-gui"/&gt;
-&lt;user username="tomcat" password="s3cret" roles="manager-gui"/&gt;
-</pre>
-   <p>
-    Note that for Tomcat 7 onwards, the roles required to use the manager
-    application were changed from the single <tt>manager</tt> role to the
-    following four roles. You will need to assign the role(s) required for
-    the functionality you wish to access.
-   </p>
-    <ul>
-      <li><tt>manager-gui</tt> - allows access to the HTML GUI and the status
-          pages</li>
-      <li><tt>manager-script</tt> - allows access to the text interface and the
-          status pages</li>
-      <li><tt>manager-jmx</tt> - allows access to the JMX proxy and the status
-          pages</li>
-      <li><tt>manager-status</tt> - allows access to the status pages only</li>
-    </ul>
-   <p>
-    The HTML interface is protected against CSRF but the text and JMX interfaces
-    are not. To maintain the CSRF protection:
-   </p>
-   <ul>
-    <li>Users with the <tt>manager-gui</tt> role should not be granted either
-        the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
-    <li>If the text or jmx interfaces are accessed through a browser (e.g. for
-        testing since these interfaces are intended for tools not humans) then
-        the browser must be closed afterwards to terminate the session.</li>
-   </ul>
-   <p>
-    For more information - please see the
-    <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
-   </p>
- </body>
-
-</html>
diff --git a/webapps/manager/404.jsp b/webapps/manager/404.jsp
deleted file mode 100644
index 86d4f3519..000000000
--- a/webapps/manager/404.jsp
+++ /dev/null
@@ -1,62 +0,0 @@
-<%--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
---%>
-<%@ page import="org.apache.catalina.util.RequestUtil" %>
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
-<html>
- <head>
-  <title>404 Not found</title>
-  <style type="text/css">
-    <!--
-    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
-    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
-    PRE, TT {border: 1px dotted #525D76}
-    A {color : black;}A.name {color : black;}
-    -->
-  </style>
- </head>
- <body>
-   <h1>404 Not found</h1>
-   <p>
-    The page you tried to access
-    (<%=RequestUtil.filter((String) request.getAttribute(
-            "javax.servlet.error.request_uri"))%>)
-    does not exist.
-   </p>
-   <p>
-    The Manager application has been re-structured for Tomcat 7 onwards and some
-    of URLs have changed. All URLs used to access the Manager application should
-    now start with one of the following options:
-   </p>
-    <ul>
-      <li><%=request.getContextPath()%>/html for the HTML GUI</li>
-      <li><%=request.getContextPath()%>/text for the text interface</li>
-      <li><%=request.getContextPath()%>/jmxproxy for the JMX proxy</li>
-      <li><%=request.getContextPath()%>/status for the status pages</li>
-    </ul>
-   <p>
-    Note that the URL for the text interface has changed from
-    &quot;<%=request.getContextPath()%>&quot; to
-    &quot;<%=request.getContextPath()%>/text&quot;.
-   </p>
-   <p>
-    You probably need to adjust the URL you are using to access the Manager
-    application. However, there is always a chance you have found a bug in the
-    Manager application. If you are sure you have found a bug, and that the bug
-    has not already been reported, please report it to the Apache Tomcat team.
-   </p>
- </body>
-</html>
diff --git a/webapps/manager/WEB-INF/jsp/401.jsp b/webapps/manager/WEB-INF/jsp/401.jsp
new file mode 100644
index 000000000..01f8aa9fc
--- /dev/null
+++ b/webapps/manager/WEB-INF/jsp/401.jsp
@@ -0,0 +1,79 @@
+<%--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+--%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>401 Unauthorized</title>
+  <style type="text/css">
+    <!--
+    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
+    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
+    PRE, TT {border: 1px dotted #525D76}
+    A {color : black;}A.name {color : black;}
+    -->
+  </style>
+ </head>
+ <body>
+   <h1>401 Unauthorized</h1>
+   <p>
+    You are not authorized to view this page. If you have not changed
+    any configuration files, please examine the file
+    <tt>conf/tomcat-users.xml</tt> in your installation. That
+    file must contain the credentials to let you use this webapp.
+   </p>
+   <p>
+    For example, to add the <tt>manager-gui</tt> role to a user named
+    <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
+    config file listed above.
+   </p>
+<pre>
+&lt;role rolename="manager-gui"/&gt;
+&lt;user username="tomcat" password="s3cret" roles="manager-gui"/&gt;
+</pre>
+   <p>
+    Note that for Tomcat 7 onwards, the roles required to use the manager
+    application were changed from the single <tt>manager</tt> role to the
+    following four roles. You will need to assign the role(s) required for
+    the functionality you wish to access.
+   </p>
+    <ul>
+      <li><tt>manager-gui</tt> - allows access to the HTML GUI and the status
+          pages</li>
+      <li><tt>manager-script</tt> - allows access to the text interface and the
+          status pages</li>
+      <li><tt>manager-jmx</tt> - allows access to the JMX proxy and the status
+          pages</li>
+      <li><tt>manager-status</tt> - allows access to the status pages only</li>
+    </ul>
+   <p>
+    The HTML interface is protected against CSRF but the text and JMX interfaces
+    are not. To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>Users with the <tt>manager-gui</tt> role should not be granted either
+        the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+    <li>If the text or jmx interfaces are accessed through a browser (e.g. for
+        testing since these interfaces are intended for tools not humans) then
+        the browser must be closed afterwards to terminate the session.</li>
+   </ul>
+   <p>
+    For more information - please see the
+    <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
+   </p>
+ </body>
+
+</html>
diff --git a/webapps/manager/WEB-INF/jsp/403.jsp b/webapps/manager/WEB-INF/jsp/403.jsp
new file mode 100644
index 000000000..a77a9cffc
--- /dev/null
+++ b/webapps/manager/WEB-INF/jsp/403.jsp
@@ -0,0 +1,94 @@
+<%--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+--%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>403 Access Denied</title>
+  <style type="text/css">
+    <!--
+    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
+    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
+    PRE, TT {border: 1px dotted #525D76}
+    A {color : black;}A.name {color : black;}
+    -->
+  </style>
+ </head>
+ <body>
+   <h1>403 Access Denied</h1>
+   <p>
+    You are not authorized to view this page.
+   </p>
+   <p>
+    If you have already configured the Manager application to allow access and
+    you have used your browsers back button, used a saved book-mark or similar
+    then you may have triggered the cross-site request forgery (CSRF) protection
+    that has been enabled for the HTML interface of the Manager application. You
+    will need to reset this protection by returning to the 
+    <a href="<%=request.getContextPath()%>/html">main Manager page</a>. Once you
+    return to this page, you will be able to continue using the Manager
+    appliction's HTML interface normally. If you continue to see this access
+    denied message, check that you have the necessary permissions to access this
+    application.
+   </p>
+   <p>
+    If you have not changed
+    any configuration files, please examine the file
+    <tt>conf/tomcat-users.xml</tt> in your installation. That
+    file must contain the credentials to let you use this webapp.
+   </p>
+   <p>
+    For example, to add the <tt>manager-gui</tt> role to a user named
+    <tt>tomcat</tt> with a password of <tt>s3cret</tt>, add the following to the
+    config file listed above.
+   </p>
+<pre>
+&lt;role rolename="manager-gui"/&gt;
+&lt;user username="tomcat" password="s3cret" roles="manager-gui"/&gt;
+</pre>
+   <p>
+    Note that for Tomcat 7 onwards, the roles required to use the manager
+    application were changed from the single <tt>manager</tt> role to the
+    following four roles. You will need to assign the role(s) required for
+    the functionality you wish to access.
+   </p>
+    <ul>
+      <li><tt>manager-gui</tt> - allows access to the HTML GUI and the status
+          pages</li>
+      <li><tt>manager-script</tt> - allows access to the text interface and the
+          status pages</li>
+      <li><tt>manager-jmx</tt> - allows access to the JMX proxy and the status
+          pages</li>
+      <li><tt>manager-status</tt> - allows access to the status pages only</li>
+    </ul>
+   <p>
+    The HTML interface is protected against CSRF but the text and JMX interfaces
+    are not. To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>Users with the <tt>manager-gui</tt> role should not be granted either
+        the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+    <li>If the text or jmx interfaces are accessed through a browser (e.g. for
+        testing since these interfaces are intended for tools not humans) then
+        the browser must be closed afterwards to terminate the session.</li>
+   </ul>
+   <p>
+    For more information - please see the
+    <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
+   </p>
+ </body>
+
+</html>
diff --git a/webapps/manager/WEB-INF/jsp/404.jsp b/webapps/manager/WEB-INF/jsp/404.jsp
new file mode 100644
index 000000000..86d4f3519
--- /dev/null
+++ b/webapps/manager/WEB-INF/jsp/404.jsp
@@ -0,0 +1,62 @@
+<%--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+--%>
+<%@ page import="org.apache.catalina.util.RequestUtil" %>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>404 Not found</title>
+  <style type="text/css">
+    <!--
+    BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
+    H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
+    PRE, TT {border: 1px dotted #525D76}
+    A {color : black;}A.name {color : black;}
+    -->
+  </style>
+ </head>
+ <body>
+   <h1>404 Not found</h1>
+   <p>
+    The page you tried to access
+    (<%=RequestUtil.filter((String) request.getAttribute(
+            "javax.servlet.error.request_uri"))%>)
+    does not exist.
+   </p>
+   <p>
+    The Manager application has been re-structured for Tomcat 7 onwards and some
+    of URLs have changed. All URLs used to access the Manager application should
+    now start with one of the following options:
+   </p>
+    <ul>
+      <li><%=request.getContextPath()%>/html for the HTML GUI</li>
+      <li><%=request.getContextPath()%>/text for the text interface</li>
+      <li><%=request.getContextPath()%>/jmxproxy for the JMX proxy</li>
+      <li><%=request.getContextPath()%>/status for the status pages</li>
+    </ul>
+   <p>
+    Note that the URL for the text interface has changed from
+    &quot;<%=request.getContextPath()%>&quot; to
+    &quot;<%=request.getContextPath()%>/text&quot;.
+   </p>
+   <p>
+    You probably need to adjust the URL you are using to access the Manager
+    application. However, there is always a chance you have found a bug in the
+    Manager application. If you are sure you have found a bug, and that the bug
+    has not already been reported, please report it to the Apache Tomcat team.
+   </p>
+ </body>
+</html>
diff --git a/webapps/manager/WEB-INF/web.xml b/webapps/manager/WEB-INF/web.xml
index 2d13269ba..5245e3d37 100644
--- a/webapps/manager/WEB-INF/web.xml
+++ b/webapps/manager/WEB-INF/web.xml
@@ -181,15 +181,15 @@
 
   <error-page>
     <error-code>401</error-code>
-    <location>/401.jsp</location>
+    <location>/WEB-INF/jsp/401.jsp</location>
   </error-page>
   <error-page>
     <error-code>403</error-code>
-    <location>/403.jsp</location>
+    <location>/WEB-INF/jsp/403.jsp</location>
   </error-page>
   <error-page>
     <error-code>404</error-code>
-    <location>/404.jsp</location>
+    <location>/WEB-INF/jsp/404.jsp</location>
   </error-page>
 
 </web-app>