Basic Tomcat Tour and Tomcat Security Basic Tomcat Tour and Tomcat Security /home/workshop/tds/apache-tomcat-6.0.13
and that you have an environment variable TOMCAT_HOME set to this value.
Check that this variable is set by with this command:
echo $TOMCAT_HOME
If the system indicates that the variable is not set, recall that you can set this variable in any window at any time by executing the command:
set TOMCAT_HOME /home/workshop/tds/apache-tomcat-6.0.13
(This command works under the UNIX bash shell, which is the shell running on our workshop machines. You may need to use a different command if running under some other shell.)
webapps Directory
The webapps directory is where web applications are placed to be
run by Tomcat. Tomcat automatically monitors this directory and when it finds
a new
.war file it will attempt to install it as an application. If
there is an error in the deployment, such as a problem with the file, it will report
that in the the log file catalina.out.
Exercise: Do this:
ls $TOMCAT_HOME/webapps
Among other things, you should see the thredds.war file that was previously installed,
and a directory called thredds. This is the TDS code.
Tomcat installed the TDS automatically in a directory named
threddswhen the thredds.war file was placed there.
logs Directory
Once Tomcat has been started it will generate some log files and put them in
the logs directory. The files
that are generated depends on how the server is configured. Here is an
example from one recent Tomcat installation using the default configuration:
[tomcat@lead3 ~/logs]$ ls -lt total 12 -rw-r--r-- 1 tomcat leadstaff 234 Jul 26 11:49 localhost.2007-07-26.log -rw-r--r-- 1 tomcat leadstaff 1597 Jul 26 11:49 catalina.2007-07-26.log -rw-r--r-- 1 tomcat leadstaff 1710 Jul 26 11:49 catalina.out -rw-r--r-- 1 tomcat leadstaff 0 Jul 26 11:49 localhost_access_log.2007-07-26.txt -rw-r--r-- 1 tomcat leadstaff 0 Jul 26 11:49 admin.2007-07-26.log -rw-r--r-- 1 tomcat leadstaff 0 Jul 26 11:49 host-manager.2007-07-26.log -rw-r--r-- 1 tomcat leadstaff 0 Jul 26 11:49 manager.2007-07-26.logExercise: Do this:
ls $TOMCAT_HOME/logs
The log file catalina.out is Tomcat's main log file and can be worth
watching when
Tomcat is started or when an web application is placed in the webabbs directory
to ensure that no errors occurred. A successful launch of Tomcat generates lots of entries
in catalina.out, but that stream of entries generally ends with a line
like this, which indicates a successful start up:
Jul 26, 2007 11:49:09 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 5080 ms
Similarly, if there seems to a problem in the execution of Tomcat
or a web application, catalina.out is good place to look for an error. Or, just check the
logs directory for the file most recently written and see if any errors are reported
there.
The localhost_access_log file (such as
localhost_access_log.2007-07-26.txt in the example above)
is useful in both Tomcat and TDS administration because it tracks all requests made to the Tomcat
server and the response given by the server. For example, this line:
128.117.156.28 - - [26/Jul/2007:11:59:54 -0700] "GET /thredds/tdr/storm/catalog.html HTTP/1.1" 200 2139shows that a request arrived from a host with the IP address 128.117.156.28 on July 26 to retrieve the document /thredds/tdr/storm/catalog.html using HTTP protocol version 1.1. It also shows that the server returned the HTTP status code 200, which means
OKand that the request succeeded, and the number of bytes sent. (See HTTP Status Code Definitions for the meaning of response codes returned by HTTP.)
content Directory content directory is the place to put documents to
be served by tomcat. This includes TDS catalogs.
Exercise: Do this:
ls $TOMCAT_HOME/content
You should see the thredds directory. Now do:
ls $TOMCAT_HOME/thredds
You should some default content placed when the TDS was installed in order
to get you started. In particular, you should see a file called
catalog.xml, which is the top TDS catalog. When you visit
http://localhost:8080/thredds , this is the catalog that
the TDS renders in HTML and sends to your browser.
conf Directory conf directory holds files used to configure Tomcat.
In this document we will focus on the files tomcat-users.xml and server.xml.
Exercise: Do this:
ls $TOMCAT_HOME/conf
tomcat-users.xml contains information about users of the application served by
tomcat. It holds user names, passwords, and defines user roles, which can used to limit access to various pieces of functionality of a application. It is discussed further below.
conf/server.xml server.xml is used to configure Tomcat. It is an XML file that contains
elements to configure various aspects of Tomcat.
See Tomcat Server Configuration Reference
for more information about server.xml.
Here we will focus on a few select concepts and XML elements relevant to setting up a TDS.
Changes to server.xmldo not take effect until Tomcat is restarted.
Exercise: View $TOMCAT_HOME/conf/server.xml in your favorite
editor. Find the elements below as we tour the file.
The outermost element of server.xml is a Server element,
which represents the entire Tomcat servlet container and defines its
characteristics as a whole.
A Service element is a nested element with the Server
element. It represents the combination of one or more Connector
components that share a single Engine component.
(An Engine represents the entire request processing machinery
associated with a Service.)
The top
Tomcat service is named Catalina
. (Hence the log
file name of catalina.out
.)
Connectorelement in
server.xml. A Connector element
represents the interface between external clients sending requests to
and receiving responses from Tomcat. This element can
take additional attributes for further configuration. Here is an example
that came with a recent Tomcat installation:
<Connector port="8080"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
debug="0" connectionTimeout="20000"
disableUploadTimeout="true" />
Tomcat listens for a shutdown command on port 8005. Keeping
the shutdown functionality on a separate port provides enhanced security because
shutdown commands can't be received from an external source. This port is defined in
the main Server
element. Here is the first line
of that element, illustrating the shutdown port 8005:
<Server port="8005" shutdown="SHUTDOWN" debug="0">
The other important port for secure Tomcat and TDS management is port 8443, which is the port on which Tomcat listens for secure connections. Like port 8080, this is defined via a Connector attribute. This particular connector may be commented out in a default installation. We will enable it when we configure Tomcat to use SSL encryption, below. For illustration, here is an example of a Connector for port 8443:
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
keystoreFile="/opt/tomcatlead2/jakarta-tomcat-5.0.28/conf/keystore-tomcat"
clientAuth="false" sslProtocol="TLS" />
Valve element is a way to preprocess requests sent to Tomcat.
Of particular interest here is the Access Log Valve, which creates log files
to track client access information, as we saw in the access_log file above.
As we saw, this valve can be used to a variety of information, including
page hit counts, user session activity, user authentication
information, and other information.
Attributes to this valve are used to configure the information reported in the log file. Here is an example of a simple Access Log Valve that came with a recent Tomcat distribution:
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="localhost_access_log." suffix=".txt"
pattern="common" resolveHosts="false"/>
This is the valve that produced the log entries we saw above. The pattern attribute of this element defines a formatting layout.
commonis a standard format. But a pattern can also be defined by a literal text string, rather like how C language strings are formatted. Here is an example of the version of the Access Log Valve used on our TDS server:
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="access." suffix=".log"
pattern="%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i" %D"
resolveHosts="false"/>
This produces log entries that look like this:
128.117.126.9 - - [23/Jun/2007:23:52:42 -0600] "GET /thredds/catalog/fmrc/NCEP/GFS/Global_2p5deg/catalog.html HTTP/1.0" 200 4014 "null" "www.dlese.org,support@dlese.org" 30463
For more information about the pattern codes supported by the Access Log Valve, see The Valve Component .
Exercise: Enable this valve so that we can see Tomcat requests and responses.
Realm is implemented as a databaseof usernames and passwords that identify valid users of a web application or set of web applications.
We will use Realm elements below in configuring Tomcat to
use digested passwords.
In this section we introduce Tomcat security by enabling authentication in order
to use the Tomcat Manager application. The Tomcat Manager is
an application that is distributed with the Tomcat distribution, which provides a graphical user
interface to manage Tomcat.
We will then enable Secure Socket Layer
(SSL) encryption of requests to the TDS debug
application. The TDS
debug
application provides an interface to manage
the TDS remotely. Because each application provides access to sensitive functionality,
it is necessary to secure them by requiring users to authenticate to Tomcat and by requiring
SSL encryption of the information that is sent to Tomcat. Finally, we describe
how to make the Manager more secure by enabling SSL encrypted communication
to the Manager.
This section introduces the Tomcat authentication mechanism by describing how to
enable authentication in order to use the Tomcat manager. (Enabling remote
TDS management is described under Tools for Managing TDS, Using Remote Management
.)
We'll start this section with background material about the Manager and the file
tomcat-users.xml, then provide detailed information about the steps required
to enable authentication. In a nutshell,
there are two steps required to enable authentication for the Tomcat Manager:
tomcat-users.xmlwith the required role and user informationwebapp, just like TDS. However being considered part of the Tomcat server, it resides in a different directory than the
webapps directory we toured above, which exists for external applications.
Instead, the Manager webapp is placed under $TOMCAT_HOME/server/webapps.
Execution of the tomcat manager requires that users authenticate themselves and
be associated with the predefined role manager
. That is, users must provide
a user name and password, and their user name must be associated with the
manager role. By default, this information is stored in the file
${TOMCAT_)HOME}/conf/tomcat-users.xml.
tomcat-users.xml is an ASCII file in which user names, passwords, and
roles are stored for the purpose of authentication and limiting access to protected
resources.
For our purposes, tomcat-users.xml provides an effective mechanism for
protecting TDS
resources. However, for increased security you could consider using an LDAP server
or a database to store user and role information. Use of these mechamisms is beyond
the scope of this documentation,
however.
Here is an example of a very simple tomcat-users.xml file:
<tomcat-users>
<role rolename="tdrAdmin />
<user name="Anne" password="secret" roles="tdrAdmin" />
</tomcat-users>
There must be an entry in the file for each user that is required to authenticate.
Each <user> entry defines the user name, password, and roles that are assigned to
that user. In this example there is one role defined, tdrAdmin. There is also one user,
Anne, with the password
secretand she is assigned the role
tdrAdmin.
You can think of roles as similar to groups in Unix-like operating systems, because access to specific web application resources is granted to all users possessing a particular role (rather than enumerating the list of associated usernames). A particular user can have any number of roles associated with their username.
When a user attempts to access a protected resource for the first time, Tomcat will challenge the user for a user name and password. Once the user has been authenticated, the relevant information, including the roles to which the user was assigned, is cached for the duration of the user’s login.
tomcat-users.xml is read once when Tomcat is started. For this reason, changes to
tomcat-users.xml will not be recognized until Tomcat is restarted.
tomcat-users.xml with User Info and Roles tomcat-users.xml file, and the user must be assigned the managerrole, which is a predefined role in Tomcat.
Role names such as manager should be added to the role
attribute of a
<user>
element. The value of the role attribute can be a single value or a comma separated
list of values. For example, to add the manager role to the user Anne
in the above
example, the result would look like this:
<tomcat-users>
<role rolename="tdrAdmin />
<role rolename="manager" />
<user name="Anne" password="secret" roles="tdrAdmin,manager" />
</tomcat-users>
Exercise: Modify the default tomcat-users.xml to add yourself as a user and give
yourself the role of manager
. Start (or restart) Tomcat, and ensure that you can
access the manager application.
Test this change by pointing your browser to http://localhost:8080
and then click
on the Manager
link in the left hand column. You’ll see that you will not be
challenged on getting the Tomcat splash page, but you will be challenged when you
try to access the manager.
With access to the Manager enabled, you can now start, stop, and reload the TDS without having to start or stop Tomcat.
Exercise: This exercise is to help you learn to debug tomcat problems. Modify tomcat-users.xml, but make sure there’s some problem with the XML format. For example, leave off a closing angle bracket. In the logs directory (~tomcat/logs) tail the file catalina.out as you restart Tomcat. The log file should report some kind of error that would, in theory, lead you to reexamine tomcat-users.xml and help you find the error.
There are several digest algorithms. Here we will use the SHA (Secure Hash Algorithm) algorithm.
server.xml to use digested passwordstomcat-users.xmlserver.xml to Use Digested Passwordsserver.xml:
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
We will not use this Realm and instead create a new one using the Tomcat
MemoryRealm. Find the above Realm definition in
server.xml,
comment it out, and add this new Realm:
<Realm className="org.apache.catalina.realm.MemoryRealm" digest="SHA" />
The result should look something like this:
<!--Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/-->
<!-- Added by Anne -->
<Realm className="org.apache.catalina.realm.MemoryRealm" digest="SHA"/>
digest.sh, that creates a digested
version of a password. The script takes an argument that specifies which digest algorithm
to use. It also takes an argument that is the password to be digested. Here is
an example of the command usage:
$TOMCAT_HOME/bin/digest.sh -a SHA secret
This will produce output like this:
secret:e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4
which shows the digested form of the password secret.
If you get output like this:
(anne) lead3: /opt/tomcat 6 % bin/digest.sh -a SHA secret
/opt/tomcat/bin/setclasspath.sh: line 58: [: =: unary operator expected
secret:e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4
don’t worry about the error. The digested password is still correct.
You must the copy the digested password, the part to the right of the colon character,
into tomcat-users.xml in place of the clear text
password.
server.xml and copied the digested
password into tomcat-users.xml, restart Tomcat for this change to take effect.
Exercise: Do the above for the clear text password that you added to
tomcat-users.xml earlier. After you’ve made the changes
and restarted Tomcat, test the change by going to
http://localhost:8080 and then
accessing the Manager application.
The behavior of Tomcat should be the same as when you first added your password.
You know, however, that the digested password is being used as that is what
is stored in tomcat-users.xml.
Besides encoding information sent to the server, the SSL protocol also requires
that the server authenticate to the client. This is to prevent a spoof from
pretending to be a trusted server and fraudulently obtaining sensitive
information. For this reason, to enable SSL it is first necessary to create
an SSL certificate for the server, in this case Tomcat. This is a credential that is passed to
the client upon initiating a connection that certifies the server’s identity.
Among trusted sites, it is sufficient for the server to send a self-signed
certificate, the creation of which is described here. A self-signed certificate
is not considered the most secure because there is no third party
certificate authority vouching for the site. If you are interested
in using more secure certificates, see the subsection called Upgrading SSL
security level by creating a CA (Certificate Authority) signed key
under
the Section
Production Installation - Advanced.
The page SSL Configuration HOW-TO from the Tomcat documentation gives information about Tomcat and SSL.
server.xml to use SSL Encryptionkeystorefile where certificates are stored. Java provides a tool, called keytool, that generates a self-signed certificate and puts in a keystore file. The default keystore filename is ${user_home}/.keystore. However, this example will use the filename $TOMCAT_HOME/conf/keystore-tomcat.
To create a self-signed certificate and store it in $TOMCAT_HOME/conf/keystore-tomcat, execute this command:
/usr/java/jdk1.5.0_10/bin/keytool -genkey -alias tomcat -keyalg RSA -validity 365 -keystore $TOMCAT_HOME/conf/keystore-tomcat
The arguments to this command tell keytool to generate a key,
make an entry for the keystore file identified by the alias "tomcat" (the
alias used by Tomcat),
use the RSA encryption algorithm,
create a certificate valid for 365 days,
and put it in the keystore file called $TOMCAT_HOME/conf/keystore-tomcat.
This command will generate this series of questions:
Enter keystore password: changeit
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: tomcat server
What is the name of your organization?
[Unknown]: Anne’s Home
What is the name of your City or Locality?
[Unknown]: Boulder
What is the name of your State or Province?
[Unknown]: Colorado
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost, OU=tomcat server, O=Anne’s Home, L=Boulder, ST=Colorado, C=US correct?
[no]: yes
Enter key password for <Anne>
(RETURN if same as keystore password):
The default keytool password is changeit
. You must use this same
password for both the keystore password and the key password for tomcat.
Although it's not obvious, the first and last name
should be the name of the server host machine.
Note: The above output was generated when keytool was run as special user "tomcat". In the context of this workshop we are running as user "workshop" so your output will reflect that difference.
Exercise: Create the keystore file.
server.xml. In
server.xml we will
To redirect requests to port 8443, find the Connector that uses port
8080 and ensure that it has a redirectPort
attribute having the
value 8443
. It should look something like this:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
To create a Connector using port 8443, the SSL port, in server.xml find the
Connector element that uses port 8443. By default is commented out.
Ensure that that Connector element is
not commented out. Also, to that element add the attribute
keystoreFile and give the value of the path to the keystore
file that we created above. The result should look similar to this:
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/opt/tomcat/conf/keystore-tomcat" />
Note that links are not followed in the specification of the location of the
keystore file. If Tomcat can't actually find the keystore file, it will
likely throw a java.io.FileNotFoundException, reported in the logs.
Note, regarding Tomcat 6: There is a difference between Tomcat 5 and Tomcat 6
regarding enabling SSL. Tomcat 6 uses the Apache Portable Runtime Library
(APR) to provide superior scalability, performance, and better integration
with native server technologies
. (See
Tomcat 6: Apache Portable Runtime and Tomcat for more information.)
Use of the APR requires an additional element in server.xml to define
which SSL engine to use (or to disable SSL), like this:
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />Note that this Listener is not used in Tomcat 5, so copying
server.xml from a
Tomcat 5 to a Tomcat 6 installation is not recommended.
Furthermore, in Tomcat 6 the Connector element for port 8443 requires the SSLEnabled
attribute be
set to true, like this:
<Connector port="8443" SSLEnabled="true" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/opt/tomcat/conf/keystore-tomcat" />
The SSLEnabledattribute is not used in Tomcat 5, so copying the entire Connector element from a Tomcat 5 to a Tomcat 6 installation will not enable SSL, and may (and has) produce mysterious behavior around access to protected resources.
After restarting Tomcat, you can use netstat -an command to
check that the ports are correctly configured. You should see lines like:
TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING TCP 127.0.0.1:8443 0.0.0.0:0 LISTENING
Exercise: Edit server.xml and configure Tomcat to use SSL.
Restart Tomcat, and connect via your browser:
http://localhost:8080.
Use of SSL is transparent, so you should see no difference. If there is a problem, however, you will likely be unable to restart Tomcat or connect successfully afterwards.
If you've been following the exercises in this document at this point you will be prevented from accesssing this page. You should get a message about access to the page being denied.
At this point, even though we have configured Tomcat to use SSL encryption,
we have not allowed anyone to have access to the protected TDS resources.
To provide access it is necessary to update the user database
tomcat-users.xml to include the role tdsConfig and to
add that as a role to authorized users. Make your tomcat-users.xml
look something like this:
<tomcat-users>
<role rolename="tdsConfig />
<role rolename="tdrAdmin />
<role rolename="manager" />
<user name="Anne" password="secret" roles="tdrAdmin,manager,tdsConfig" />
</tomcat-users>
Then restart Tomcat for this change to take effect.
Exercise: Test this change by going to
http://localhost:8080/thredds/debug.
You should get the TDS debug page.
Running TDS without SSL
If you are on a secure network and don't want to run with SSL enabled,
edit
Password authentication will then be done without SSL encryption.
You will have to repeat this whenever you reinstall or upgrade
In order to create SSL protected areas of an application, it is necessary to
specify those protected areas. This is done in a special file belonging to
the application,
called
We will put this same XML snippet in the
In the file
Now add the $TOMCAT_HOME/webapps/thredds/WEB-INF/web.xml and change all instances of
CONFIDENTIAL
to NONE
.
thredds.war.
Enable SSL for the Manager Application
If you've been following the exercises in this tutorial, the Manager application
is currently running though without SSL encryption. In order to make this Manager
security even stronger, we will reconfigure the Manager application to require this.
First, some background:
<application name>/WEB-INF/web.xml (relative to
the webapps directory), which
is provided with every application served by Tomcat. For example, TDS provides
the file $TOMCAT_HOME/webapps/thredds/WEB-INF/web.xml, which is
preconfigured to require SSL encryption to get the remote management page.
The section of the file that does this is here:
<!-- This allows "remote configuration":
/thredds/debug gives access to various debug and status info.
ThreddsDefault servlet aliases /thredds/root/ to "{tomcat_home}/webapps/thredds/"
ThreddsDefault servlet aliases /thredds/dataDir/path to "dirLocation/" where path is mapped to dirLocation through a
datasetRoot or datasetScan element in the catalog. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>sensitive read access</web-resource-name>
<url-pattern>/debug</url-pattern>
<url-pattern>/root/*</url-pattern>
<url-pattern>/dataDir/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>tdsConfig</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
It is the user-data-constraint element that requires port 8443 to be
used, thus requiring SSL encryption:
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
web.xml file belonging
to the Manager application.
server/webapps/manager/WEB-INF/web.xml, find this
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTMLManger and Manager command</web-resource-name>
<url-pattern>/jmxproxy/*</url-pattern>
<url-pattern>/html/*</url-pattern>
<url-pattern>/list</url-pattern>
<url-pattern>/sessions</url-pattern>
<url-pattern>/start</url-pattern>
<url-pattern>/stop</url-pattern>
<url-pattern>/install</url-pattern>
<url-pattern>/remove</url-pattern>
<url-pattern>/deploy</url-pattern>
<url-pattern>/undeploy</url-pattern>
<url-pattern>/reload</url-pattern>
<url-pattern>/save</url-pattern>
<url-pattern>/serverinfo</url-pattern>
<url-pattern>/status/*</url-pattern>
<url-pattern>/roles</url-pattern>
<url-pattern>/resources</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
(Actually, the role manager
is now present in the default users file,
as we added it earlier. You can now remove this out of date comment.)
user-data-constraint element, like this:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTMLManger and Manager command</web-resource-name>
<url-pattern>/jmxproxy/*</url-pattern>
<url-pattern>/html/*</url-pattern>
<url-pattern>/list</url-pattern>
<url-pattern>/sessions</url-pattern>
<url-pattern>/start</url-pattern>
<url-pattern>/stop</url-pattern>
<url-pattern>/install</url-pattern>
<url-pattern>/remove</url-pattern>
<url-pattern>/deploy</url-pattern>
<url-pattern>/undeploy</url-pattern>
<url-pattern>/reload</url-pattern>
<url-pattern>/save</url-pattern>
<url-pattern>/serverinfo</url-pattern>
<url-pattern>/status/*</url-pattern>
<url-pattern>/roles</url-pattern>
<url-pattern>/resources</url-pattern>
</web-resource-collection>
<!-- Require use of port 8443 -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
Again, restart Tomcat for this change to take effect.
This document is maintained by Anne Wilson and was last updated
on July 26, 2007.
Send comments to THREDDS support.