Tomcat Security

If you use the BIRT-runtime option, a J2EE Application Server/Webserver (e.g. Apache Tomcat) is needed for the HTML publishing of reports and access rights. If you use Apache Tomcat, see chapter BIRT, requirements and installation.

This chapter gives you an overview of the Tomcat manager application.

The Tomcat manager application offers the possibility to deploy a new web application or undeploy an existing one without restart of the container. Furthermore, you can reload an existing application without declaring it to be "reloadable".

The Tomcat manager application is disabled by default for security reasons. If you want to use the application, you have to authenticate yourself with a user name and a password you defined when installing Tomcat (see figure below):

Figure 1. Tomcat Installation, Basic Configuration

You can find more information on Tomcat security on the Apache homepage:

https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html

To access the Manager web application create a new user name and a password and associate one of the manager roles with it, or add a manager role to an existing user.

To grant access to the manager application, a user has to possess one of the manager roles. The users are saved in the Tomcat_InstallationPath/conf/tomcat-users.xml file(see figure below).

Figure 2. tomcat-users.xml file

The tomcat-users.xml file is used to manage users, passwords and user roles.

NOTE that a default user does not exist. Therefore, create a user when installing Tomcat.

The following manager roles are available:

      • manager-gui — Access to the HTML interface (see Tomcat help).

      • manager-status — Access to the "Server Status" page only (see Tomcat help)..

      • manager-script — Access to the tools-friendly plain text interface and to the "Server Status" page (see Tomcat help).

      • manager-jmx — Access to JMX proxy interface and to the "Server Status" page (see Tomcat help).

The web.xml file of the Manager web application contains the role names. Above all the web.xml file is used to specify access rights for the individual report sub directories. Thus, only specific user groups (roles) have access/have not access to specific directories.

Figure 3. Web.xml file

For more information on how to configure Tomcat, see the Tomcat web page http://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html.

Optionally, you can also use SSL. see Tomcat web page, https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html or switch to Windows authentication https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html.