Purpose of roles tags in tomcat-users.xml?


In the Tomcat 7 <em>tomcat-users.xml</em> file, what purpose is served by the <role /> tags?

For an XAMPP instance of Tomcat 7, I've figured out how to configure my <em>tomcat-users.xml</em> file to permit me to access both <strong>Tomcat Web Application Manager</strong> and <strong>Tomcat Virtual Host Manager</strong>. More specifically, the following enables the aforementioned access:

<tomcat-users> <user username="uname" password="pword" roles="manager-gui,admin-gui"/> </tomcat-users>

Note that what's NOT in this successful snippet of XML are any <role /> tags. That's the crux of my question: I can't for the life of me figure out what purpose <em>role</em> tags are meant to serve.

In pursuit of learning how to configure access, I've read plenty of documentation and forum postings, but they all seem to go in a circle: One can define <em>roles</em>, but then <em>roles</em> don't really seem to themselves define anything useful(?)

For example, here's the recurring illustration used in both the <em>tomcat-users.xml</em> file and in numerous forum posts "explaining" the use of roles.

<tomcat-users> <role rolename="tomcat"/> <user username="uname" password="pword" roles="tomcat"/> </tomcat-users>

Okay, so in this "explanation" a <em>role</em> element defines a <em>rolename</em> attribute equal to <em>tomcat</em>, then the <em>user</em> element contains a <em>roles</em> attribute that defines the user's role as <em>tomcat</em>. What's the point?

Asked another way, given that in <em>role</em> element the <em>rolename</em> attrbute defines <em>tomcat</em>, <em>roles=tomcat</em> does what, exactly? Especially compared to my working user definition of <em></em> where <em>manager-gui</em> and <em>admin-gui</em> define roles that enable <strong>Tomcat Web Application Manager</strong> AND <strong>Tomcat Virtual Host Manager</strong> access.

Cheers & thanks,<br /> Riley<br /> SFO


The use of the <role .../> element in tomcat-users.xml is optional. Tomcat builds the list of roles from the <role .../> elements and from the roles named in the roles="..." attribute of the users.

The benefit of using the <role .../> element is that you can declare the complete set of supported roles and you can include description attribute describing the role.

As an aside, tomcat-users.xml also supports groups although they are not shown in the example that ships by default with Tomcat. Groups are sets of roles that can then be assigned to users.


From what I understand you (can) define roles:


because it gives you more flexibility, for example add a description an for instance. A GUI can use this information.

<role rolename="customer" description="Customer of Java WebService"/> </li> <li>

you can remap or group the roles later in a specific servlet

<security-role-ref> <role-name>cust</role-name> <role-link>bankCustomer</role-link> </security-role-ref> </li> </ul>

Please keep in mind that I am not a Tomcat expert so I hope that a true expert can refine this answer.



Asked another way, given that in role element the rolename attrbute defines tomcat, roles=tomcat does what, exactly? Especially compared to my working user definition of where manager-gui and admin-gui define roles that enable Tomcat Web Application Manager AND Tomcat Virtual Host Manager access.


Role/security constraints are defined in applications descriptor <em>web.xml</em>.

For Example, <em>manager-gui</em> is defined in tomcat <em>manager</em> application:

<security-constraint> <web-resource-collection> <web-resource-name>HTML Manager interface (for humans)</web-resource-name> <url-pattern>/html/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>manager-gui</role-name> </auth-constraint> </security-constraint> <security-role> <description> The role that is required to access the HTML Manager pages </description> <role-name>manager-gui</role-name> </security-role>


  • WPF DataGrid Remove SelectedItems
  • Scala right associative methods
  • “Linear dependence in the dictionary” exception in sklearns OMP
  • How do you give the rvalue generated by a constructor the lifetime of an lvalue?
  • Angular material create alert similar to bootstrap alerts
  • grails date format in English language
  • Adding additional UITabbarItem to UITabbarController
  • Ruby on Rails joins models for json output
  • Webpack with babel-loader not emitting valid es5
  • function overloading in swift [duplicate]
  • Sequelize belongsToMany additional attributes in join table
  • Angular Material mat-table is not showing updated data from data source
  • animating text box when clicked
  • Stop the background service after particular time in android
  • Processing dynamic MP3 URL
  • Is this usage of the const keyword in line with its intention?
  • search bar getting disappeared in ios UIsearchcontroller
  • Wicket countdown timer will not self-update
  • Reshape dataframe to dataframe with unlimited rows and filling zeroes where no values
  • performance counter events associated with false sharing
  • “RepeatForUnit” item missing in Calendar entry?
  • Unable to create a textclip in moviepy (imagemagick succesfully installed?) - got Utf8 Error
  • JSF validateLength question
  • what is “Other” category in CosmosDB monitoring graph?
  • Draw ring with given thickness, position, and radius. (Java2D)
  • C# XML Serialization/DeSerialization [closed]
  • How can I access the Google account user_id?
  • Can someone explain how Yii minimizing assets is supposed to work on Heroku?
  • When i select a Textfield the keyboard moves over it
  • Jekyll - How do I create pages in the root directory?
  • Pick Out Specific Number from Array? [duplicate]
  • Create an Office365 mailbox from within C# Web API method
  • Ajax call on Multiple selection in Select box
  • using maven pom while creating jar:test-jar some times it says JAR will be empty - no content was ma
  • How to include associated objects using gon in Rails/jQuery
  • How can I ssh into a server that requires 2 password authentication using python's paramiko mod
  • Background transfer download task failed when app was closed
  • XEP-0166: Jingle protocol implementation for voice/video chat in iOS
  • Firebase: How to read from external DB?
  • media foundation H264 decoder not working properly