Is tomcat manager supported in the nuxeo installation ? Is the Tomcat Manager supported in a Nuxeo installation?

Today we have a question from smalis who asks if the Tomcat Manager is supported by Nuxeo.

While it’s true that the Manager isn’t accessible by default in the Nuxeo Platform; it’s easy to add. All you need to do is declare a user with access to the manager interface.

Only users with the manager role can access it. So you need to edit the _$CATALINA_HOME/conf/tomcat-users.xml_ file to add them ($CATALINA_HOME is your tomcat installation folder):

<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager"/> <user username="admin" password="admin" roles="manager"/> </tomcat-users> 

Now you can go to localhost:8080/manager/html with the admin:admin credentials and use the manager interface.

This is all really nice, but I don’t like to have it hardcoded like this. So we’re going to use a template. One of the nice things introduced with the upcoming 5.6 version is the ability to use FreeMarker to process configuration files. We can access properties defined in nuxeo.conf. Here’s my ‘templated’ tomcat-users.xml file put under templates/common-base/conf/:

<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <#if "${nuxeo.server.manager.enabled}" == "true"> <role rolename="manager"/> <user username="${nuxeo.server.manager.username}" password="${nuxeo.server.manager.password}" roles="manager"/> </#if> </tomcat-users> 

As you can see, we’re going to use three properties: - nuxeo.server.manager.enabled will add the user if true. - nuxeo.server.manager.username is the user name of our manager user. - nuxeo.server.manager.password is the password of our manager user.

As usual, when we add a template file, we need to add the default values in the nuxeo.default file. So let’s add this to templates/common-base/nuxeo.defaults:

nuxeo.server.manager.enabled=false nuxeo.server.manager.username= nuxeo.server.manager.password= 

The default configuration makes the manager unavailable. We have to add the right properties in nuxeo.conf:

nuxeo.server.manager.enabled=true nuxeo.server.manager.username=admin nuxeo.server.manager.password=admin 

Now we’ll have access to the Manager web application everywhere as long as we have the right user credentials. To make it a little more secure, we should limit access from a certain IP address, like for instance. So let’s add a new file manager.xml with our specific configuration. In this file, we declare the Manager web application in the Context tag, the user database in the ResourceLink tag and a RemoteAddrValve to limit access from the IP only. If the nuxeo.server.manager.enabled property isn’t set to true, we’ll have an empty file.

<#if "${nuxeo.server.manager.enabled}" == "true"> <?xml version='1.0' encoding='utf-8'?> <Context path="/manager" docBase="$CATALINA_HOME/webapps/manager" debug="0" privileged="true">

<ResourceLink name="users" global="UserDatabase" type="org.apache.catalina.UserDatabase"/>

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=""/>

</Context> </#if> 

So now we can access the Manager only from the localhost. To make it cleaner, we can create a dedicated template. All we need to do is create a folder called manager in templates. Add manager.xml, tomcat-users.xml and nuxeo.defaults. Something we have to be careful about is the nuxeo.default file target property. If you copy it from template/common-base, you should see a property set to ‘.’. This means that all the files in the template/common-base folder will be copied to your server folder. If you choose nxserver, all the files will be copied to the nxserver folder. I’ve chosen so my file structure looks like this: - templates/manager/conf/tomcat-users.xml - templates/manager/conf/Catalina/localhost/manager.xml - templates/manager/nuxeo.defaults

The last step is to add the manager template to nuxeo.conf: nuxeo.templates=default,manager

And we’re good to go. See ya’ on Monday!