Vulnerability introduction
Apache Tomcat is an open source web application server, which is mainly used to deploy and manage Java-based web applications. Tomcat provides a complete set of management interfaces, allowing administrators to deploy, start, stop and uninstall web applications through the web interface. These administrative functions control access through specific roles and permissions.
In Tomcat, permissions are managed by configuring user roles inconf/tomcat-users.xml files. Different roles allow users to perform different actions. The following is an introduction to management-related roles and their permissions in Tomcat 7 and above:
-
manager(Backend Admin): This is a general role that is usually not given directly to users, but serves as the basis for other administrative roles. -
manager-gui(Has html page permission): Allows users to access the Tomcat management interface through the HTML interface. Users can deploy, revoke, start, stop and reload web applications, as well as view system status. -
manager-status(Has permission to view status): Allows users to view the current status of the Tomcat server, including JVM usage, number of sessions, and the running status of each web application. -
manager-script(has text interface permissions and status permissions): Allows users to perform management operations through text interfaces (such as command line tools or scripts). These operations are the same as themanager-guirole. But no GUI interface is provided. At the same time, this role also includes permissions to view server status. -
manager-jmx(With jmx permissions and Status permissions�