Bug 51147 - Deploy from Manager fail in 403
Summary: Deploy from Manager fail in 403
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Manager application (show other bugs)
Version: 6.0.30
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
: 51183 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-05-03 22:37 UTC by Alexis Hassler
Modified: 2014-02-17 13:53 UTC (History)
2 users (show)



Attachments
Proposed patch (611 bytes, patch)
2011-05-04 09:51 UTC, Alexis Hassler
Details | Diff
I'm getting the attached error while connecting with javabridge using php (227.00 KB, image/jpeg)
2014-02-06 12:09 UTC, Madhiyalagan
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexis Hassler 2011-05-03 22:37:51 UTC
I've seen in documentation that I should not use new roles for the deploy feature in the HTML Manager (cf. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Manager_Application). So I'm using the old manager role, but I'm getting a 403 error when I deploy an application.

The upload and undeploy features work well.

Here is my tomcat-users.xml file :

<tomcat-users>
  <role rolename="manager"/>
  <user username="tomcat" password="tomcat" roles="manager"/>
</tomcat-users>
Comment 1 Chuck Caldarale 2011-05-04 00:48:13 UTC
Bugzilla is not a support forum.  Please post usage questions and issues on the Tomcat users' mailing list.
Comment 2 Alexis Hassler 2011-05-04 09:30:57 UTC
OK, maybe its not a bug, but it works fine in Tomcat 7 with the same usage.

I've looked further and saw that, if the "deploy" action is a GET, it fails because the nonce is not in the request.  If it is a POST it works. 

OK, maybe it is not a bug, but it could work better with a very lite change in the org.apache.catalina.manager.HTMLManagerServlet class.
Comment 3 Alexis Hassler 2011-05-04 09:51:50 UTC
Created attachment 26957 [details]
Proposed patch
Comment 4 Mark Thomas 2011-05-04 11:30:27 UTC
The role name is a red herring. The Realm doc wasn't updated. The correct role is manager-gui.

The docs have been corrected although the original issue (deploy fails) remains.
Comment 5 Mark Thomas 2011-05-04 11:34:12 UTC
I have confirmed both the issue and that the patch fixes it.

The problem is that when a form is use with GET and the action URL contains request parameters user agents may (FF4 does) overwrite the parameters already in the URL with those in the form rather than combine them. Switching to POST avoids this issue.

I have proposed the patch for 6.0.x.
Comment 6 Konstantin Kolinko 2011-05-04 12:29:17 UTC
(In reply to comment #5)
> The problem is that when a form is use with GET and the action URL contains
> request parameters user agents may (FF4 does) overwrite the parameters already
> in the URL with those in the form rather than combine them. Switching to POST
> avoids this issue.

That is how form submission is defined in HTML5.

4.10.22 Form submission [1]
-> 4.10.22.3 Form submission algorithm
-> Table in Step 17
-> "http" + GET method  gives "Mutate action URL"
-> Mutate action URL is 
"Let destination be a new URL that is equal to the action except that its <query> component is replaced by query (adding a U+003F QUESTION MARK character (?) if appropriate)."

[1] http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#form-submission

So it is a natural limitation on the use of CsrfPreventionFilter in such forms. But I am OK with the change to the form, because I do not see a reason to use GET method here. The action is not repeatable, nor it is bookmarkable, because of the nonce.
Comment 7 Konstantin Kolinko 2011-05-11 09:11:35 UTC
*** Bug 51183 has been marked as a duplicate of this bug. ***
Comment 8 Mark Thomas 2011-05-18 12:36:26 UTC
Fixed in 6.0.x and will be included in 6.0.33 onwards.

Thanks for the patch.
Comment 9 Alexis Hassler 2011-05-18 12:44:56 UTC
You're welcome. I'm glad with my small contrib.
Comment 10 Madhiyalagan 2014-02-06 12:09:28 UTC
Created attachment 31288 [details]
I'm getting the attached error while connecting with javabridge using php

Please anyone can you help me for the attached error?
Comment 11 Konstantin Kolinko 2014-02-06 12:30:57 UTC
(In reply to Madhiyalagan from comment #10)
Not here.

See Comment 1 above.
http://tomcat.apache.org/bugreport.html#Bugzilla_is_not_a_support_forum