From 92e2397a6d31ca41e909fc944e30dc135bb229e8 Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Thu, 14 Oct 2010 09:22:54 +0000
Subject: [PATCH] Add some more info on CSRF protection for the manager and
 host manager applications

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1022441 13f79535-47bb-0310-9956-ffa450edef68
---
 webapps/docs/manager-howto.xml | 12 ++++++++++++
 webapps/host-manager/401.jsp   | 13 ++++++++++++-
 webapps/host-manager/403.jsp   | 11 +++++++++++
 webapps/manager/401.jsp        | 11 +++++++++++
 webapps/manager/403.jsp        | 11 +++++++++++
 5 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/webapps/docs/manager-howto.xml b/webapps/docs/manager-howto.xml
index cd0806484..3bc29b6f0 100644
--- a/webapps/docs/manager-howto.xml
+++ b/webapps/docs/manager-howto.xml
@@ -169,6 +169,18 @@ an example of restricting access to the localhost by IP address:</p>
                 allow="127\.0\.0\.1"/&gt;
 &lt;/Context&gt;
 </pre>
+
+<p>The HTML interface is protected against CSRF but the text and JMX interfaces
+are not. To maintain the CSRF protection:</p>
+    
+<ul>
+  <li>users with the <tt>manager-gui</tt> role should not be granted either the
+      <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+  <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+      testing since these interfaces are intended for tools not humans) then the
+      browser must be closed afterwards to terminate the session.</li>
+</ul>
+
 </section>
 
 
diff --git a/webapps/host-manager/401.jsp b/webapps/host-manager/401.jsp
index b2d9deb96..ce37e3e8e 100644
--- a/webapps/host-manager/401.jsp
+++ b/webapps/host-manager/401.jsp
@@ -54,9 +54,20 @@
     the functionality you wish to access.
    </p>
     <ul>
-      <li><tt>admin</tt> - allows access to the HTML GUI</li>
+      <li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
       <li><tt>admin-script</tt> - allows access to the text interface</li>
     </ul>
+   <p>
+    The HTML interface is protected against CSRF but the text interface is not.
+    To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>users with the <tt>admin-gui</tt> role should not be granted the
+       <tt>manager-script</tt> role.</li>
+    <li>if the text interface is accessed through a browser (e.g. for testing
+        since this interfaces is intended for tools not humans) then the browser
+        must be closed afterwards to terminate the session.</li>
+   </ul>
  </body>
 
 </html>
diff --git a/webapps/host-manager/403.jsp b/webapps/host-manager/403.jsp
index 8f5b0d34f..33e9058db 100644
--- a/webapps/host-manager/403.jsp
+++ b/webapps/host-manager/403.jsp
@@ -71,6 +71,17 @@
       <li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
       <li><tt>admin-script</tt> - allows access to the text interface</li>
     </ul>
+   <p>
+    The HTML interface is protected against CSRF but the text interface is not.
+    To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>users with the <tt>admin-gui</tt> role should not be granted the
+       <tt>manager-script</tt> role.</li>
+    <li>if the text interface is accessed through a browser (e.g. for testing
+        since this interfaces is intended for tools not humans) then the browser
+        must be closed afterwards to terminate the session.</li>
+   </ul>
  </body>
 
 </html>
diff --git a/webapps/manager/401.jsp b/webapps/manager/401.jsp
index 8fb2cfd57..b05d87f68 100644
--- a/webapps/manager/401.jsp
+++ b/webapps/manager/401.jsp
@@ -63,6 +63,17 @@
       <li><tt>manager-status</tt> - allows access to the status pages only</li>
     </ul>
    <p>
+    The HTML interface is protected against CSRF but the text and JMX interfaces
+    are not. To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>users with the <tt>manager-gui</tt> role should not be granted either
+        the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+    <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+         testing since these interfaces are intended for tools not humans) then
+         the browser must be closed afterwards to terminate the session.</li>
+   </ul>
+   <p>
     For more information - please see the
     <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
    </p>
diff --git a/webapps/manager/403.jsp b/webapps/manager/403.jsp
index 23f9d724f..028d2bb70 100644
--- a/webapps/manager/403.jsp
+++ b/webapps/manager/403.jsp
@@ -78,6 +78,17 @@
       <li><tt>manager-status</tt> - allows access to the status pages only</li>
     </ul>
    <p>
+    The HTML interface is protected against CSRF but the text and JMX interfaces
+    are not. To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>users with the <tt>manager-gui</tt> role should not be granted either
+        the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+    <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+         testing since these interfaces are intended for tools not humans) then
+         the browser must be closed afterwards to terminate the session.</li>
+   </ul>
+   <p>
     For more information - please see the
     <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
    </p>
-- 
2.11.0