package org.apache.jsp.WEB_002dINF.jsp; import javax.servlet.*; import javax.servlet.http.*; import javax.servlet.jsp.*; public final class _403_jsp extends org.apache.jasper.runtime.HttpJspBase implements org.apache.jasper.runtime.JspSourceDependent { private static final JspFactory _jspxFactory = JspFactory.getDefaultFactory(); private static java.util.List _jspx_dependants; private javax.el.ExpressionFactory _el_expressionfactory; private org.apache.AnnotationProcessor _jsp_annotationprocessor; public Object getDependants() { return _jspx_dependants; } public void _jspInit() { _el_expressionfactory = _jspxFactory.getJspApplicationContext(getServletConfig().getServletContext()).getExpressionFactory(); _jsp_annotationprocessor = (org.apache.AnnotationProcessor) getServletConfig().getServletContext().getAttribute(org.apache.AnnotationProcessor.class.getName()); } public void _jspDestroy() { } public void _jspService(HttpServletRequest request, HttpServletResponse response) throws java.io.IOException, ServletException { PageContext pageContext = null; HttpSession session = null; ServletContext application = null; ServletConfig config = null; JspWriter out = null; Object page = this; JspWriter _jspx_out = null; PageContext _jspx_page_context = null; try { response.setContentType("text/html"); pageContext = _jspxFactory.getPageContext(this, request, response, null, true, 8192, true); _jspx_page_context = pageContext; application = pageContext.getServletContext(); config = pageContext.getServletConfig(); session = pageContext.getSession(); out = pageContext.getOut(); _jspx_out = out; out.write("\r\n"); out.write("\r\n"); out.write("\r\n"); out.write(" \r\n"); out.write(" 403 Access Denied\r\n"); out.write(" \r\n"); out.write(" \r\n"); out.write(" \r\n"); out.write("

403 Access Denied

\r\n"); out.write("

\r\n"); out.write(" You are not authorized to view this page.\r\n"); out.write("

\r\n"); out.write("

\r\n"); out.write(" If you have already configured the Manager application to allow access and\r\n"); out.write(" you have used your browser's back button, used a saved book-mark or similar\r\n"); out.write(" then you may have triggered the cross-site request forgery (CSRF) protection\r\n"); out.write(" that has been enabled for the HTML interface of the Manager application. You\r\n"); out.write(" will need to reset this protection by returning to the \r\n"); out.write(" main Manager page. Once you\r\n"); out.write(" return to this page, you will be able to continue using the Manager\r\n"); out.write(" appliction's HTML interface normally. If you continue to see this access\r\n"); out.write(" denied message, check that you have the necessary permissions to access this\r\n"); out.write(" application.\r\n"); out.write("

\r\n"); out.write("

\r\n"); out.write(" If you have not changed\r\n"); out.write(" any configuration files, please examine the file\r\n"); out.write(" conf/tomcat-users.xml in your installation. That\r\n"); out.write(" file must contain the credentials to let you use this webapp.\r\n"); out.write("

\r\n"); out.write("

\r\n"); out.write(" For example, to add the manager-gui role to a user named\r\n"); out.write(" tomcat with a password of s3cret, add the following to the\r\n"); out.write(" config file listed above.\r\n"); out.write("

\r\n"); out.write("

\r\n");
      out.write("<role rolename=\"manager-gui\"/>\r\n");
      out.write("<user username=\"tomcat\" password=\"s3cret\" roles=\"manager-gui\"/>\r\n");
      out.write("

\r\n"); out.write("

\r\n"); out.write(" Note that for Tomcat 6.0.30 onwards, the roles required to use the manager\r\n"); out.write(" application were changed from the single manager role to add the\r\n"); out.write(" following four roles. (The manager role is still available but should not be\r\n"); out.write(" used as it avoids the CSRF protection). You will need to assign the role(s)\r\n"); out.write(" required for the functionality you wish to access.\r\n"); out.write("

\r\n"); out.write("

manager-gui - allows access to the HTML GUI and the status\r\n"); out.write(" pages
manager-script - allows access to the text interface and the\r\n"); out.write(" status pages
manager-jmx - allows access to the JMX proxy and the status\r\n"); out.write(" pages
manager-status - allows access to the status pages only

\r\n"); out.write("

\r\n"); out.write(" The HTML interface is protected against CSRF but the text and JMX interfaces\r\n"); out.write(" are not. To maintain the CSRF protection:\r\n"); out.write("

\r\n"); out.write("

users with the manager-gui role should not be granted either\r\n"); out.write(" the manager-script or manager-jmx roles.
if the text or jmx interfaces are accessed through a browser (e.g. for\r\n"); out.write(" testing since these interfaces are intended for tools not humans) then\r\n"); out.write(" the browser must be closed afterwards to terminate the session.

\r\n"); out.write("

\r\n"); out.write(" For more information - please see the\r\n"); out.write(" Manager App HOW-TO.\r\n"); out.write("

\r\n"); out.write(" \r\n"); out.write("\r\n"); out.write("\r\n"); } catch (Throwable t) { if (!(t instanceof SkipPageException)){ out = _jspx_out; if (out != null && out.getBufferSize() != 0) try { out.clearBuffer(); } catch (java.io.IOException e) {} if (_jspx_page_context != null) _jspx_page_context.handlePageException(t); else log(t.getMessage(), t); } } finally { _jspxFactory.releasePageContext(_jspx_page_context); } } }