Re: Restrict access to webapps for IPs
Hi Jens, Am Mittwoch, 11. Mai 2005 08:17 schrieb Altrock, Jens: Ok tried it again.. first some more information: I am using Tomcat 5.0.28 on Redhat Fedora Core 3, installed in /usr/local/tomcat I created a XML file called application.xml in /usr/local/tomcat/conf/Catalina/localhost where application is the name of the webapp. That worked so far. The file consisted just of a few lines: Context path=/NetAdmin docBase=${catalina.home}/webapps/NetAdmin debug=0 privileged=true Valve className=org.apache.catalina.valves.RemoteAddrValve allow=192.100.46.*,172.16.*.*,194.25.29.*,127.0.0.1/ /Context I have to mention that I did neither write that app nor know much about it anyway.. it uses a JDBC connection to a mysql database to write data to that db. But after creating that config file mentioned above, the JDBC driver didn't work anymore... Anyone can help me with that? It looks like your new Context definition is overriding an existing Context definition for this web application which contains the resource definition for the MySQL database. So you should have a look at your $CATALINA_HOME/conf/server.xml if there might be a existing Context definition inside the related Host element. You should also look for a context.xml in the $CATALINA_HOME/webapps/[webapp]/META-INF/ directory for the same reason. If you will find an existing Context definition, then insert your valve filter there and delete you newly created application.xml. Best wishes Lutz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Restrict access to webapps for IPs
Hi Jens, Am Mittwoch, 11. Mai 2005 09:01 schrieb Altrock, Jens: -Ursprüngliche Nachricht- Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 11. Mai 2005 08:50 An: Tomcat Users List Betreff: Re: Restrict access to webapps for IPs Hi Jens, Am Mittwoch, 11. Mai 2005 08:17 schrieb Altrock, Jens: Ok tried it again.. first some more information: I am using Tomcat 5.0.28 on Redhat Fedora Core 3, installed in /usr/local/tomcat [...] I have to mention that I did neither write that app nor know much about it anyway.. it uses a JDBC connection to a mysql database to write data to that db. But after creating that config file mentioned above, the JDBC driver didn't work anymore... Anyone can help me with that? It looks like your new Context definition is overriding an existing Context definition for this web application which contains the resource definition for the MySQL database. So you should have a look at your $CATALINA_HOME/conf/server.xml if there might be a existing Context definition inside the related Host element. I looked at the $CATALINA_HOME/conf/server.xml file, but can't find anything like that inside the HOST element. It's the standard server.xml file though, I don't know in what way a servlet itself can change that file; but I don't think it can. You should also look for a context.xml in the $CATALINA_HOME/webapps/[webapp]/META-INF/ directory for the same reason. I did, but there is none, and there never was one. That's what I thought first, but there's just a MANIFEST.MF file inside. If the MySQL database base connection has worked before and will work again, when you remove your newly created Context file, then there has to be a Resource definition for it somewhere. As you are using Linux why don't you simply search the files in the $CATALINA_HOME directory for this Resource definition? I.e. like this: grep -R mysql /usr/local/tomcat This way, you should find the file defining the MySQL resource for your web application (context). Then proceed as I suggested. Best wishes Lutz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : Restrict access to webapps for IPs
See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/host.html#Automatic Application Deployment When using automatic deployment, the docBase defined by an XML Context file should be outside of the appBase directory. If this is not the case difficulties may be experienced deploying the web application or the application may be deployed twice. -Message d'origine- De : Altrock, Jens [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 mai 2005 09:01 À : 'Tomcat Users List' Objet : AW: Restrict access to webapps for IPs -Ursprüngliche Nachricht- Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 11. Mai 2005 08:50 An: Tomcat Users List Betreff: Re: Restrict access to webapps for IPs Hi Jens, Am Mittwoch, 11. Mai 2005 08:17 schrieb Altrock, Jens: Ok tried it again.. first some more information: I am using Tomcat 5.0.28 on Redhat Fedora Core 3, installed in /usr/local/tomcat I created a XML file called application.xml in /usr/local/tomcat/conf/Catalina/localhost where application is the name of the webapp. That worked so far. The file consisted just of a few lines: Context path=/NetAdmin docBase=${catalina.home}/webapps/NetAdmin debug=0 privileged=true Valve className=org.apache.catalina.valves.RemoteAddrValve allow=192.100.46.*,172.16.*.*,194.25.29.*,127.0.0.1/ /Context I have to mention that I did neither write that app nor know much about it anyway.. it uses a JDBC connection to a mysql database to write data to that db. But after creating that config file mentioned above, the JDBC driver didn't work anymore... Anyone can help me with that? It looks like your new Context definition is overriding an existing Context definition for this web application which contains the resource definition for the MySQL database. So you should have a look at your $CATALINA_HOME/conf/server.xml if there might be a existing Context definition inside the related Host element. I looked at the $CATALINA_HOME/conf/server.xml file, but can't find anything like that inside the HOST element. It's the standard server.xml file though, I don't know in what way a servlet itself can change that file; but I don't think it can. You should also look for a context.xml in the $CATALINA_HOME/webapps/[webapp]/META-INF/ directory for the same reason. I did, but there is none, and there never was one. That's what I thought first, but there's just a MANIFEST.MF file inside. If you will find an existing Context definition, then insert your valve filter there and delete you newly created application.xml. Best wishes Lutz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] I attached the server.xml and the application's xml file to the mail though. Regards, Jens ### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Restrict access to webapps for IPs
http://jakarta.apache.org/tomcat/faq/security.html#restrict -Tim Altrock, Jens wrote: Hi there, Hope this question won't sound as dumb, for I am completely new to Tomcat; and I haven't found what I was searching for in the documentation though... I got four different applications/websites in the Tomcat webapps directory, let's just call them A, B, C and D. The applications A, B and C should be accessible from the networks 192.100.46.0/24 as well as 172.16.0.0/16 But application D should be accessible from anywhere. Is there any way to do this in tomcat? I tried with the apache .htaccess files, but that won't work though. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Restrict access to webapps for IPs
Hi Jens, Altrock, Jens schrieb: That's what I already read, but there's never said in which config files to put that in, nor are there any examples... or didn't I see them too? What you are looking for is the RemoteAddrValve valve: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/valve.html#Remote%20Address%20Filter Reading your first mail, the right place for the RemoteAddrValve valve should be within the Context element in your case, although it can also used for the Host or even the Engine. Each Context element is representing a web application. For more information, please read the following page which also explains where to store the Context element: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/context.html Please not that the above two links refer to Tomcat version 5.5. The information on these pages may not suit previous Tomcat versions. If you use a Tomcat version prior to 5.5, please consult the respective documentation. Best wishes Lutz -Ursprüngliche Nachricht- Von: Tim Funk [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 10. Mai 2005 14:42 An: Tomcat Users List Betreff: Re: Restrict access to webapps for IPs http://jakarta.apache.org/tomcat/faq/security.html#restrict -Tim Altrock, Jens wrote: Hi there, Hope this question won't sound as dumb, for I am completely new to Tomcat; and I haven't found what I was searching for in the documentation though... I got four different applications/websites in the Tomcat webapps directory, let's just call them A, B, C and D. The applications A, B and C should be accessible from the networks 192.100.46.0/24 as well as 172.16.0.0/16 But application D should be accessible from anywhere. Is there any way to do this in tomcat? I tried with the apache .htaccess files, but that won't work though. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Restrict access to webapps for IPs
Hi Jens, Altrock, Jens schrieb: Ok, got that. But do I need to install the regular expressions library? To my practical knowledge, the RemoteAddrValve will work out of the box. You don't have to install additional libraries to get it work. And how to say that I want a whole subnet to be added? For allowing a whole subnet, just use an asterisk in the allow attribute value: Valve ... allow=192.168.0.*/ Lutz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Restrict access to webapps for IPs
Nopt in web.xml but in server.xml in your context/context -Original Message- From: Altrock, Jens [mailto:[EMAIL PROTECTED] Sent: 10 May 2005 15:13 To: 'Tomcat Users List' Subject: AW: Restrict access to webapps for IPs Hm... won't work :( I added to noe of the apps in webapps/name_of_app/WEB-INF/web.xml the following: Valve className=org.apache.catalina.valves.RemoteAddrValve allow=192.100.46.*/ right after the web-app tag in the xml file. But people can access that application from the internet anyway... -Ursprüngliche Nachricht- Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 10. Mai 2005 16:00 An: Tomcat Users List Betreff: Re: Restrict access to webapps for IPs Hi Jens, Altrock, Jens schrieb: Ok, got that. But do I need to install the regular expressions library? To my practical knowledge, the RemoteAddrValve will work out of the box. You don't have to install additional libraries to get it work. And how to say that I want a whole subnet to be added? For allowing a whole subnet, just use an asterisk in the allow attribute value: Valve ... allow=192.168.0.*/ Lutz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Restrict access to webapps for IPs
Hi Jens, Altrock, Jens schrieb: Hm... won't work :( I added to noe of the apps in webapps/name_of_app/WEB-INF/web.xml the following: Valve className=org.apache.catalina.valves.RemoteAddrValve allow=192.100.46.*/ right after the web-app tag in the xml file. But people can access that application from the internet anyway... You have put the Valve element into the wrong file resp. place. It cannot be nested into the web-app element and cannot be placed in the web.xml. You have to nest it into a engine, host oder context element. In your case, you have to nest it into the context element because you want to apply the filter rule to a web application which is equivalent to the context element in Tomcat terms. You should have a look at one of the links I mentioned to find the right place for the Valve element: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/context.html Try one of these options offered on this page (refers to Tomcat version 5.5): * in individual files (with a .xml extension) in the $CATALINA_HOME/conf/[enginename]/[hostname]/ directory * if the previous file was not found for this application, in individual file at /META-INF/context.xml inside the application files Best wishes Lutz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Restrict access to webapps for IPs
Hi, Raghupathy,Gurumoorthy schrieb: Nopt in web.xml but in server.xml in your context/context As regards the server.xml, this depends on the Tomcat version, you are using. The documentation emphasizes: Please note that for tomcat 5, unlike tomcat 4.x, it is NOT recommended to place Context elements directly in the server.xml file. - http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/context.html Best wishes Lutz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]