The New Manager Roles in Tomcat 7
When you first install your Tomcat 7 and try to access the "Manager" app , it gives 403 Access denied error. This is because, there is no username in the default users file ($CATALINA_BASE/conf/tomcat-users.xml) that is assigned to those roles. Therefore, access to the Manager application is completely disabled by default. This is to provide security so that unknown users on the internet are restricted to view the manager application. All the users are required to authenticate themselves with a user name and password that have one of the manager-** roles associated with them.
With Tomcat 7, there are 4 built-in roles that allow administrators to delegate access to specific accounts so that they can only do certain things, like view stats and not deploy apps. The four roles are named: manager-gui, manager-script, manager-jmx, and manager-status.
manager-gui provides access to the status pages and the tomcat manager web console. Accounts with this level of access can do anything through the traditional tomcat manager web console. This includes deploying/undeploying apps, viewing stats, generating leak detection diagnostics, expiring sessions, etc.
manager-script, provides all the functionality that manager-gui provides but using the text interface instead of the html gui.
manager-jmx provides access to the jmxproxy interface, which provides monitoring tools & scripts.
manager-status provides the users assigned to that role with access to the statistics that tomcat provides like current threads, max threads, etc. Users belonging to this role will be able to access the Status link on the main tomcat index page but will receive a 403 - Access Denied when attempting to access the Tomcat Manager.
All four roles provide access to the status pages.
this is a nice addition to Tomcat 7 which provides clear demarcation of the roles compared to the earlier versions.