I am trying to log in to the Manager App in Tomcat 7.0.22 for Mac OS X 10.7. Here is the error I am getting: http://f.cl.ly/items/421q1K3f1i0X1H1M181v/so.tiff

401 Unauthorized

You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp.

For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.

<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>

I have added this in my tomcat-users.xml, still its not taking the same username/password.

<tomcat-users>
<role rolename="manager-gui"/>
<user name="tomcat" password="s3cret" roles="standard,manager-gui"/>
</tomcat-users>

Sorry, I have to ask the obvious: Did you restart Tomcat?

If that doesn't work, try adding "admin-gui" to your roles:

<user name="tomcat" password="s3cret" roles="admin-gui,standard,manager-gui"/>

OK, I had this error too. Couldn't find the bug, couldn't find the bug, couldn't find the bug. My "tomcat-users" block looked just like this.

<tomcat-users>
<role rolename="manager-gui"/>
<user name="tomcat" password="s3cret" roles="standard,manager-gui"/>
</tomcat-users>

FINALLY FOUND THE BUG. I kept editing the XML inside the XML comment block:

<!--
<tomcat-users>
<role rolename="manager-gui"/>
<user name="tomcat" password="s3cret" roles="standard,manager-gui"/>
</tomcat-users>
-->

DOH!

So: don't forget to remove the "<!--" and "-->".

I also encountered this problem. The content of my tomcat-users.xml was correct, but the file was not readable by Tomcat. I changed the file's group to tomcat7, restarted Tomcat, and voilà!

Here's the content of my tomcat-users.xml:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <user username="admin" password="admin" roles="manager-gui, admin-gui" />
</tomcat-users>

To add some clarity, here are the roles you need to add to your conf/tomcat-users.xml as of Tomcat 7.x. If you want to keep the comments you can, but this is all you need (to log in with admin/admin) in the file:

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>  
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <role rolename="manager-status"/>
  <role rolename="admin-gui"/>
  <role rolename="admin-script"/>
  <user username="admin" password="admin" roles="manager-gui, manager-script, manager-jmx, manager-status, admin-gui, admin-script"/>
</tomcat-users>

Check the exact lines in server.xml

  <Realm className="org.apache.catalina.realm.LockOutRealm">
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
  </Realm>

Navdeep

Its unlikely that anybody made the same mistake I did, but incase you have a couple versions of tomcat (or have fudged the installation and have files you need to cleanup) make sure you are in the correct folder.

I was looking at the config file in C:\tomcat7\ but the actual Tomcat that was running was in C:\Program Files\Apache Software Foundation\Tomcat 7.0\

If you are at Tomcat 8, you maybe missing the following. I struggled with this for a while. After updating the Realms and tomcat-users.xml, you also need to edit the apps context.xml as well.

"By default, newer versions of Tomcat restrict access to the Manager and Host Manager apps to connections coming from the server itself. Since we are installing on a remote machine, you will probably want to remove or alter this restriction. To change the IP address restrictions on these, open the appropriate context.xml files."

For Manager app -

/webapps/manager/META-INF/context.xml

For Host-Manager app -

/opt/tomcat/webapps/host-manager/META-INF/context.xml

Comment out the following section for Valve as follows-

<Context antiResourceLocking="false" privileged="true" > <!--<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />--> </Context>

You should be allset after this.

I had same error then I changed password in users.xml. It solved. If you use some special chars like &. It doesn't work. Remove it.

I was getting the exact the same error and it only started working after I changed the connector port from 8080 to 8081.

Also make sure that you have set TOMCAT_HOME as well as JAVA_HOME environment variables correctly.

I had to uncomment this in server.xml:

    <Resource name="UserDatabase" auth="Container"
          type="org.apache.catalina.UserDatabase"
          description="User database that can be updated and saved"
          factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />

I thought I was just cleaning up the config of an example data source, but I was wrong :)

In windows I had a CATALINA_HOME environment variable defined for another tomcat installation so that was stating even though I was using the startup script in the new installation folder. So just deleting CATALINA_HOME solved the problem for me.

Changing the port from 8080 to 8088 in server.xml worked for me.Refer the code below

<Connector port="8088" protocol="HTTP/1.1" 
connectionTimeout="20000"
redirectPort="8443" />

In my case, I had multiple <Engine><Host>...</Host></Engine> sections in my context.xml and I had to copy and paste the <Realm className="org.apache.catalina.realm.LockOutRealm">...</Realm> into each <Engine>...</Engine> section because I had the manager app deployed in each one of these hosts that were part of a separate Engine.

The answer from @swapnil chaudhari about the IP address restriction in the app's META-INF/context.xml is also helpful, however I found it more beneficial to override the Context in my server's server.xml.

In the end, I have something like this for each one of my Engines:

    <Engine name="CatalinaMyUniqueEngine"
            defaultHost="MyUniqueHost">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>
      <Host name="MyUniqueHost"
            appBase="/opt/tomcat/webapps/MyUniqueHost"
            unpackWARs="true" autoDeploy="true">
        <Context path="/manager" privileged="true" antiResourceLocking="false"
                 docBase="manager">
          <!-- Wider allowance than the default.
               Or you can remove to allow all IPs, which probably isn't
               a good idea. -->
          <Valve className="org.apache.catalina.valves.RemoteAddrValve"
                 allow="127\.0\.0\.1|10\.244\.\d+.\d+" />
      </Host>
    </Engine>

docBase is relative to appBase. In /opt/tomcat/webapps/MyUniqueHost, I have a symbolic link to the manager application installed by my system's package manager (Debian-based), which placed it at /usr/share/tomcat8-admin/manager. These symbolic links allow me to use the manager app in all my Hosts without copying the manager application.

Check your browser.

I was running tomcat locally on Windows, and trying to log in using Chrome. None of the suggestions above seemed to work. Finally on a whim, I tried Firefox and got the login prompt! I restarted Chrome and tried it again, and still nothing. It appears our network policy screws with Chrome - probably blocking the popup login dialog.

Just to add some information on @David's answer:

If you are like me and SFTP to the host with any user under a group other than tomcat (for e.g. root) and edit tomcat_users.xml with some generic editor like gedit or VS Code, the group of the file will be changed to the user you used (probably because a new file was created). Like below:

drwxr-x--- 2 root tomcat   4096 Jun 21 11:41 ./
drwxr-xr-x 9 root tomcat   4096 May 24 14:12 ../
-rw-r----- 1 root tomcat  13531 Apr 28 03:34 catalina.policy
-rw-r----- 1 root tomcat   7202 Apr 28 03:34 catalina.properties
-rw-r----- 1 root tomcat   1400 Apr 28 03:34 context.xml
-rw-r----- 1 root tomcat   1149 Apr 28 03:34 jaspic-providers.xml
-rw-r----- 1 root tomcat   2313 Apr 28 03:34 jaspic-providers.xsd
-rw-r----- 1 root tomcat   3850 Apr 28 03:34 logging.properties
-rw-r----- 1 root tomcat   7511 Apr 28 03:34 server.xml
-rw-r----- 1 root root     2342 Jun 21 11:41 tomcat-users.xml
-rw-r----- 1 root tomcat   2633 Apr 28 03:34 tomcat-users.xsd
-rw-r----- 1 root tomcat 170202 Apr 28 03:34 web.xml

Maybe my initial setup of tomcat was a bit casual... But with the above behavior, tomcat will loose access to the edited file. The result would be 401 Unauthorized.

There are a number of options to get around the problem. I'm not sure if any of them is the best practice though.

• Changing permission after the edit (yes sure...).
• nano and WinSCP do not seem to suffer from the issue.
• SETGID: chmod g+s /conf_folder (not tested).
• Follow this answer
• Maybe an editor that is permission-aware?

I tried to add username as tomcat in tomcat-users.xml which was already a role and it was not working. Then I given username as admin for and It worked fine..:)

Shutdown tomcat

paste below comments complete content into tomcat-users.xml and save

start tomcat

Now Build it should work, i did for windows OS with Jenkins and git deployment via tomcat7

<?xml version="1.0" encoding="UTF-8"?>
-<tomcat-users> <role rolename="manager-gui"/> <role rolename="manager-script"/> <role rolename="manager-jmx"/> <role rolename="manager-status"/> <role rolename="admin-gui"/> <role rolename="admin-script"/> <user roles="manager-gui, manager-script, manager-jmx, manager-status, admin-gui, admin-script" password="admin" username="admin"/> </tomcat-users>

I was using a particular complex password with lots of odd characters. Just return that back to regular password and worked fine.