先进入manager所在目录
[root@localhost tomcat]# cd webapps/manager/WEB-INF/
查看 web.xml
[root@localhost WEB-INF]# more web.xml
HTML Manager interface (for humans) /html/* 对应:http://localhost:8080/manager/htmlmanager-gui 定义了访问这个页面的角色名:manage-guiText Manager interface (for scripts) /text/*manager-script JMX Proxy interface /jmxproxy/*manager-jmx Status interface /status/* 对应:http://localhost:8080/manager/statusmanager-gui manager-script manager-jmx manager-status
进入host-manager所在目录
[root@localhost tomcat]# cd webapps/host-manager/WEB-INF/
查看 web.xml
[root@localhost WEB-INF]# more web.xml
HTMLHostManager commands /html/* 对应:http://192.168.14.219:8080/host-manager/htmladmin-gui 定义了管理角色名称
The role that is required to log in to the Host Manager Application HTML interface admin-gui The role that is required to log in to the Host Manager Application text interface admin-script
编辑Tomcat用户配置文件,添加角色
[root@localhost tomcat]# vi conf/tomcat-users.xml
that surrounds them. --> --> 这里有个注释符号去掉,是下面的生效
重启 tomcat
[root@localhost tomcat]# ./bin/shutdown.sh
[root@localhost tomcat]# ./bin/startup.sh
总结:
虚拟目录/WEB-INF/web.xml一般定义了访问这个目录的安全角色名称,得知这个安全角色名称后便可在conf/tomcat-users.xml添加对应的访问角色,获得访问权限。(于是这里也是个黑客可以利用的后门。。)
