Jenkins Tomcat

Deploy a Java application to Tomcat using Octopus and Jenkins. In this tutorial, we show you how to build a fully-functional continuous delivery pipeline for a simple Java web application and deploy it to Tomcat. We use Jenkins to build the code and run tests, and we use Octopus Deploy to deploy and promote releases. Jenkins - 2.263.1 (LTS) deployed through tomcat on CentOS-8.2 and have Nginx reverse proxy running in-front of Jenkins. Under Manage Jenkins Configure Systems - Apply and Save not working, Due to this error, i cannot Apply (or) Save any of my configurations, It always shows below error on browser (Firefox & Chrome). HTTP Status 403 – Forbidden. If the jenkins.war is deployed in your webapps directory, but can not be started and the tomcat manager says FAIL - Application at context path /jenkins could not be started, you may need to grant the permissions for JENKINSHOME.

Skip to end of metadataGo to start of metadata

See Running Jenkins behind Apache for general information about running Jenkins on Apache. This page only covers the security aspect of it.

It is possible to use an apache in front of your tomcat instance that runs Jenkins. You will need to compile apache-2.2 with mod_proxy enabled. The example below shows an invocation of apache-2.2 configure script with parameters that enable mod_proxy, mod_proxy_ajp, LDAP and SSL.

Edit the httpd-vhosts.conf file that resides in ${APACHE_HOME}/conf/extras to make apache aware of your tomcat server.

The location of the file is different depending on how/where you install Apache from

Apache basic authentication

Jenkins Tomcat War

The example below shows a virtual host configuration for an apache that runs on the same machine as Jenkins. Jenkins here is configured to run an AJP connector on port 8102. This virtual host is also configured to rely on basic authentication (htpasswd) to protect certain resources, such as project(s) configuration, Jenkins management, and project(s) deletion. See the apache manual for examples of basic, and other, authentication scheme configuration.

This approach is suitable if the access control need is simplistic (such as hiding Jenkins from everyone but a few people), but it tends to break down if you start doing more complex set up (such as making Jenkins visible to anonymous users but only allowing a few people to modify the settings.)

If you do access control in Apache, do not enable security in Jenkins, as those two things will interfere with each other.

Apache authentication against x509/SSL

Above requires the maintenance of an .htpassword file. If your organisation has issued certs (or relies on third party client certs such as issued by Thawte or Verisign) - below can be used to remove the need to maintain such a .htpassword file and not have any people 'secret's on the machine.

This will make request look to Jenkins just like those of the .htpassword sample of above.

Jenkins can be then run as the following to only listen to AJP connection on port 8102 without any HTTP listener. The address also ensures that the external hosts cannot directly talk to Jenkins without going through Apache:


If you are running Jenkins inside a servlet container, refer to its documentation about how to prevent direct connection from outside to Jenkins. For example, in Tomcat, this is done by setting the address attribute in the tomcat connector definition. See http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html#Standard%20Implementation. For above localhost setting, use address=''.

Older versions of this plugin may not be safe to use. Please review the following warnings before using an older version:

This plugin takes a war/ear file and deploys that to a running remote application server at the end of a build. The implementation is based on Cargo. The list of currently supported containers include:
  • Tomcat 4.x/5.x/6.x/7.x/8.x/9.x
  • JBoss 3.x/4.x/5.x/6.x/7.x
  • Glassfish 2.x/3.x/4.x

Refer to the Deploy WebSphere Plugin to deploy to a running remote WebSphere Application Server.
Refer to the WebLogic Deployer Plugin to deploy to a running remote WebLogic Application Server.

How to rollback or redeploy a previous build

There may be several ways to accomplish this, but here is one suggested method:

  1. Install the Copy Artifact Plugin
  2. Create a new job that you will trigger manually only when needed
  3. Configure this job with a build parameter of type 'Build selector for Copy Artifact', and a copy artifact build step using 'Specified by build parameter' to select the build.
  4. Add a post-build action to deploy the artifact that was copied from the other job

Now when you trigger this job you can enter the build number (or use any other available selector) to select which build to redeploy. Thanks to Helge Taubert for this idea.

Change Log

Version 1.14 (Jul 24, 2019)
  • deployment plugin does not show any error message when the war file does not exist (JENKINS-13219)

  • Nothing happens after build (JENKINS-12760)

  • Add Deployment feature for Tomcat 9 (JENKINS-55333)

  • Tomcat deploy transfer speed (JENKINS-40428)

  • Add support for Jenkins Pipeline (JENKINS-44810)

  • Allow expansion of environment variables in the configuration (JENKINS-12825)

Version 1.13 (August 7, 2017)
Version 1.10 (Jul 2, 2014)
  • Support deployment to multiple targets (JENKINS-4949)
  • Expand variable references in the context path (JENKINS-5790)
  • Added JBoss 6 and 7 (JENKINS-19256)

Jenkins Tomcat Restart

Version 1.9 (Jun 11, 2012)
  • Password in config.xml is now scrambled (pull #6)
    • This change is backward-compatible but is not forward-compatible
  • The context path can now also be spericied (JENKINS-9093)
Version 1.8 (Jun 28, 2011)
  • GlassFish v3 remote deployment (pull #3)
Version 1.7 (Mar 11, 2011)
  • Fix Tomcat 7 deployement url
Version 1.6 (Dec 10, 2010)
  • Added Tomcat 7 and GlassFish 3 support
  • Fixed bug in GlassFishAdapter, need to explicitly set the home on the container
  • Updated library to Cargo 1.0.4
Version 1.5 (Jan 16, 2010)
  • Support Ant style GLOBs for specifying war/ear files (JENKINS-5166)
Version 1.4 (Dec 30, 2009)
  • Update library to Cargo 1.0
  • Only deploy if the build was successful, unless 'even when failed' option is checked
  • Check URL format when saving config
  • Update code for more recent Hudson
  • Add initial glassfish support
Version 1.3 (Aug 5, 2008)
  • This plugin didn't work on slaves (report,JENKINS-2114)
Version 1.2 (Jul 11, 2008)
  • Fixed the problem in submitting the configuration. Make sure to run this with 1.234 or later. (report)