Access Tomcat Manager (Admin) Interface with Username and Password

Jan 24, 2020 · 2 mins read

Apache Tomcat is one of the most popular web application servers for Java. It comes with a web interface called the Manager which makes it easy to administer and control web applications running in Tomcat using a web browser. Using the Manager, you can deploy a new WAR application and control existing ones without having to restart Tomcat. The Manager interface is typically accessed by visiting http://localhost:8080/manager/html.

This article explains how to configure access to the Tomcat Manager interface and how to setup a username and password.

Tomcat 9: Manager Access with Username/Passowrd

Because of safety reasons (you wouldn’t want anyone on the web accessing the admin controls!) access to the Manager is disabled by default. There is no default username and password. To enable this access, you must create a new username/password combination and associate it with the manager-gui role (list below). To do this, you’ll need to modify the $CATALINA_BASE/conf/tomcat-users.xml file.

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml
                                  tomcat-users.xsd"
              version="1.0">

  <role rolename="manager-gui" />
  <user username="admin" password="admin" roles="manager-gui" />

</tomcat-users>

You’ll need to restart Tomcat after editing the file above. After restarting Tomcat, you should be able to access the Manager app (http://localhost:8080/manager/html) using username = admin and password = admin.

Let’s take a quick look at Tomcat roles. Roles allow controlled access to Tomcat. Tomcat has 4 roles all starting with the manager- prefix. These are

  • manager-gui: Access to the Manager interface through the browser. You must assign this role to enable access to the web interface. The web interface comes with cross-site request forgery (CSRF) protection.
  • manager-status: Server Status page access only.
  • manager-script: Like manager-gui but using the text interface instead of the HTML GUI. This is used by system administrators to to write scripts for automation.
  • manager-jmx: JMX proxy access for monitoring.

You can also assign multiple roles to a user by providing a comma-separated list. E.g.

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <user username="admin" password="admin" roles="manager-script,manager-jmx"/>
</tomcat-users>

If you’re using an older version of Tomcat e.g. Tomcat 6, the username/password combination can be found in the same file e.g. $CATALINA_BASE/conf/tomcat-users.xml file. It might look like the following:

<tomcat-users>
  <role rolename="manager"/>
  <user username="admin" password="admin" roles="manager"/>
</tomcat-users>

The manager role was deprecated in Tomcat 6 and removed starting Tomcat 7. You can still use any of the roles described under Tomcat 9 section e.g. manager-gui.

If you want to learn more about configuring the Manager interface, please read the official Tomcat 9 docs. That’s all. I hope you enjoyed it.



Join Newsletter
Enter your email address to receive a very occasional newsletter. I'll never spam or sell your email.