Apache Tomcat is one of the most popular web application servers for Java. It comes with a web interface called the Manager which makes it easy to administer and control web applications running in Tomcat using a web browser. Using the Manager, you can deploy a new WAR application and control existing ones without having to restart Tomcat. The Manager interface is typically accessed by visiting
This article explains how to configure access to the Tomcat Manager interface and how to setup a username and password.
Tomcat 9: Manager Access with Username/Passowrd
Because of safety reasons (you wouldn’t want anyone on the web accessing the admin controls!) access to the Manager is disabled by default. There is no default username and password. To enable this access, you must create a new username/password combination and associate it with the
manager-gui role (list below). To do this, you’ll need to modify the
<?xml version='1.0' encoding='utf-8'?> <tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"> <role rolename="manager-gui" /> <user username="admin" password="admin" roles="manager-gui" /> </tomcat-users>
You’ll need to restart Tomcat after editing the file above. After restarting Tomcat, you should be able to access the Manager app (http://localhost:8080/manager/html) using username = admin and password = admin.
Let’s take a quick look at Tomcat roles. Roles allow controlled access to Tomcat. Tomcat has 4 roles all starting with the
manager- prefix. These are
manager-gui: Access to the Manager interface through the browser. You must assign this role to enable access to the web interface. The web interface comes with cross-site request forgery (CSRF) protection.
manager-status: Server Status page access only.
manager-script: Like manager-gui but using the text interface instead of the HTML GUI. This is used by system administrators to to write scripts for automation.
manager-jmx: JMX proxy access for monitoring.
You can also assign multiple roles to a user by providing a comma-separated list. E.g.
<?xml version="1.0" encoding="UTF-8"?> <tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"> <role rolename="manager-script"/> <role rolename="manager-jmx"/> <user username="admin" password="admin" roles="manager-script,manager-jmx"/> </tomcat-users>
If you’re using an older version of Tomcat e.g. Tomcat 6, the username/password combination can be found in the same file e.g.
$CATALINA_BASE/conf/tomcat-users.xml file. It might look like the following:
<tomcat-users> <role rolename="manager"/> <user username="admin" password="admin" roles="manager"/> </tomcat-users>
manager role was deprecated in Tomcat 6 and removed starting Tomcat 7. You can still use any of the roles described under Tomcat 9 section e.g.
If you want to learn more about configuring the Manager interface, please read the official Tomcat 9 docs. That’s all. I hope you enjoyed it.