Child pages
  • CASifying Tomcat Manager
Skip to end of metadata
Go to start of metadata

How to CASify Tomcat Manager

This page provides a how-to in CASifying the Tomcat Manager web application.

Produced using Tomcat 5.0.28, but this approach should apply to other versions of Tomcat.

CASifying Standalone Tomcat

This section describes the (easier) case of CASifying Tomcat Manager where CATALINA_HOME is CATALINA_BASE.

Hacking the web.xml

Locate the web.xml descriptor for the manager web application

It will be in the /server/webapps/manager/WEB-INF directory of your Tomcat. For instance, mine's at I:\Tomcat\jakarta-tomcat-5.0.28\server\webapps\manager\WEB-INF .

Remove the container authentication and security stuff

We aren't going to use the Tomcat container authentication and servlet container security. We're going to replace it with CAS and a simple AuthZ filter.

Here's the stuff you don't need:

Remove this from the web.xml

After removing all that, you should be left with this:

Bare web.xml

Add in CAS authentication

Now we have a bare, unprotected Manager. We need to add CAS authentication to it.

So we need to map the CASFilter to provide for authentication.

Add this to the web.xml (with appropriate URLs for your CAS server and the server name for the Manager you are CASifying).

Declaring the CASFilter

Require authorization

We haven't added much, if any, security yet, because anyone who can CAS authenticate can now access the Manager. We need to add an authorization layer. For this we'll use the very simple Filter that comes with the Java CAS client to declare NetIDs authorized to access the Manager.

The SimpleCASAuthorization filter takes a whitespace-delimitted list of authorized usernames and asserts that the CAS authenticated username is one of these authorized users, throwing an exception when this is not the case. Here, for example, we authorize both user "awp9" and user "jdb53" to access Tomcat manager.

Add this filter declaration:

Declaring the Simple CAS Authorization filter

And add this filter mapping:

Mapping the simple CAS Authorization filter

The final web.xml should look like this:

web.xml for a CASified Manager

Adding the required jar file

Install the Java CAS client .jar file (version 2.1.0 or later, current as of this writing is 2.1.1), into the lib directory associated with the manager web application. For me this was I:\Tomcat\jakarta-tomcat-5.0.28\server\webapps\manager\WEB-INF\lib .

CASifying multiple Tomcats

Any takers for documenting how to CASify Tomcat Manager for an installation of several CATALINA_BASEs sharing a single CATALINA_HOME?


  • No labels