AW: Restrict access to webapps for IPs

2005-05-11 Thread Altrock, Jens 
Ok tried it again.. first some more information:
I am using Tomcat 5.0.28 on Redhat Fedora Core 3, installed in
/usr/local/tomcat

I created a XML file called application.xml in
/usr/local/tomcat/conf/Catalina/localhost
where application is the name of the webapp. That worked so far. The file
consisted just of a few lines:

Context path=/NetAdmin docBase=${catalina.home}/webapps/NetAdmin
debug=0 privileged=true
  Valve className=org.apache.catalina.valves.RemoteAddrValve
allow=192.100.46.*,172.16.*.*,194.25.29.*,127.0.0.1/
/Context

I have to mention that I did neither write that app nor know much about it
anyway.. it uses a JDBC connection
to a mysql database to write data to that db. But after creating that config
file mentioned above, the
JDBC driver didn't work anymore...

Anyone can help me with that?

Regards,

Jens

 -Ursprüngliche Nachricht-
 Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED]
 Gesendet: Dienstag, 10. Mai 2005 16:24
 An: Tomcat Users List
 Betreff: Re: Restrict access to webapps for IPs


 Hi Jens,

 Altrock, Jens schrieb:
  Hm... won't work :(
 
  I added to noe of the apps in
 webapps/name_of_app/WEB-INF/web.xml the
  following:
 
  Valve className=org.apache.catalina.valves.RemoteAddrValve
  allow=192.100.46.*/
 
  right after the web-app tag in the xml file.
  But people can access that application from the internet anyway...

 You have put the Valve element into the wrong file resp.
 place. It cannot
 be nested into the web-app element and cannot be placed in
 the web.xml.
 You have to nest it into a engine, host oder context element.

 In your case, you have to nest it into the context element
 because you
 want to apply the filter rule to a web application which is
 equivalent to
 the context element in Tomcat terms.

 You should have a look at one of the links I mentioned to
 find the right
 place for the Valve element:

 http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/context.html

 Try one of these options offered on this page (refers to
 Tomcat version 5.5):

 * in individual files (with a .xml extension) in the
 $CATALINA_HOME/conf/[enginename]/[hostname]/ directory
 * if the previous file was not found for this application, in
 individual
 file at /META-INF/context.xml inside the application files


 Best wishes

 Lutz


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Restrict access to webapps for IPs

2005-05-11 Thread Lutz Zetzsche 
Hi Jens,

Am Mittwoch, 11. Mai 2005 08:17 schrieb Altrock, Jens:
 Ok tried it again.. first some more information:
 I am using Tomcat 5.0.28 on Redhat Fedora Core 3, installed in
 /usr/local/tomcat

 I created a XML file called application.xml in
 /usr/local/tomcat/conf/Catalina/localhost
 where application is the name of the webapp. That worked so far.
 The file consisted just of a few lines:

 Context path=/NetAdmin docBase=${catalina.home}/webapps/NetAdmin
 debug=0 privileged=true
   Valve className=org.apache.catalina.valves.RemoteAddrValve
 allow=192.100.46.*,172.16.*.*,194.25.29.*,127.0.0.1/
 /Context

 I have to mention that I did neither write that app nor know much
 about it anyway.. it uses a JDBC connection
 to a mysql database to write data to that db. But after creating that
 config file mentioned above, the
 JDBC driver didn't work anymore...

 Anyone can help me with that?

It looks like your new Context definition is overriding an existing 
Context definition for this web application which contains the resource 
definition for the MySQL database.

So you should have a look at your $CATALINA_HOME/conf/server.xml if 
there might be a existing Context definition inside the related Host 
element.

You should also look for a context.xml in the 
$CATALINA_HOME/webapps/[webapp]/META-INF/ directory for the same 
reason.

If you will find an existing Context definition, then insert your valve 
filter there and delete you newly created application.xml.


Best wishes

Lutz

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: Restrict access to webapps for IPs

2005-05-11 Thread Altrock, Jens 
 -Ursprüngliche Nachricht-
 Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED]
 Gesendet: Mittwoch, 11. Mai 2005 08:50
 An: Tomcat Users List
 Betreff: Re: Restrict access to webapps for IPs


 Hi Jens,

 Am Mittwoch, 11. Mai 2005 08:17 schrieb Altrock, Jens:
  Ok tried it again.. first some more information:
  I am using Tomcat 5.0.28 on Redhat Fedora Core 3, installed in
  /usr/local/tomcat
 
  I created a XML file called application.xml in
  /usr/local/tomcat/conf/Catalina/localhost
  where application is the name of the webapp. That worked so far.
  The file consisted just of a few lines:
 
  Context path=/NetAdmin
 docBase=${catalina.home}/webapps/NetAdmin
  debug=0 privileged=true
Valve className=org.apache.catalina.valves.RemoteAddrValve
  allow=192.100.46.*,172.16.*.*,194.25.29.*,127.0.0.1/
  /Context
 
  I have to mention that I did neither write that app nor know much
  about it anyway.. it uses a JDBC connection
  to a mysql database to write data to that db. But after
 creating that
  config file mentioned above, the
  JDBC driver didn't work anymore...
 
  Anyone can help me with that?

 It looks like your new Context definition is overriding an existing
 Context definition for this web application which contains
 the resource
 definition for the MySQL database.

 So you should have a look at your $CATALINA_HOME/conf/server.xml if
 there might be a existing Context definition inside the related Host
 element.


I looked at the $CATALINA_HOME/conf/server.xml file, but can't find anything
like that inside the HOST element. It's the standard server.xml file though,
I don't know in what way a servlet itself can change that file; but I don't
think it can.

 You should also look for a context.xml in the
 $CATALINA_HOME/webapps/[webapp]/META-INF/ directory for the same
 reason.


I did, but there is none, and there never was one. That's what I thought
first,
but there's just a MANIFEST.MF file inside.

 If you will find an existing Context definition, then insert
 your valve
 filter there and delete you newly created application.xml.


 Best wishes

 Lutz

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]


I attached the server.xml and the application's xml file to the mail though.

Regards,

Jens

###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: Restrict access to webapps for IPs

2005-05-11 Thread Altrock, Jens 
Hm didn't attach them.. 
So here they are:

Server.xml:

!-- Example Server Configuration File --
!-- Note that component elements are nested corresponding to their
 parent-child relationships with each other --

!-- A Server is a singleton element that represents the entire JVM,
 which may contain one or more Service instances.  The Server
 listens for a shutdown command on the indicated port.

 Note:  A Server is not itself a Container, so you may not
 define subcomponents such as Valves or Loggers at this level.
 --

Server port=8005 shutdown=SHUTDOWN debug=0


  !-- Comment these entries out to disable JMX MBeans support!--
  !-- You may also configure custom components (e.g. Valves/Realms) by 
   including your own mbean-descriptor file(s), and setting the 
   descriptors attribute to point to a ';' seperated list of paths
   (in the ClassLoader sense) of files to add to the default list.
   e.g. descriptors=/com/myfirm/mypackage/mbean-descriptor.xml
  --
  Listener className=org.apache.catalina.mbeans.ServerLifecycleListener
debug=0/
  Listener
className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener
debug=0/

  !-- Global JNDI resources --
  GlobalNamingResources

!-- Test entry for demonstration purposes --
Environment name=simpleValue type=java.lang.Integer value=30/

!-- Editable user database that can also be used by
 UserDatabaseRealm to authenticate users --
Resource name=UserDatabase auth=Container
  type=org.apache.catalina.UserDatabase
   description=User database that can be updated and saved
/Resource
ResourceParams name=UserDatabase
  parameter
namefactory/name
valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value
  /parameter
  parameter
namepathname/name
valueconf/tomcat-users.xml/value
  /parameter
/ResourceParams

  /GlobalNamingResources

  !-- A Service is a collection of one or more Connectors that share
   a single Container (and therefore the web applications visible
   within that Container).  Normally, that Container is an Engine,
   but this is not required.

   Note:  A Service is not itself a Container, so you may not
   define subcomponents such as Valves or Loggers at this level.
   --

  !-- Define the Tomcat Stand-Alone Service --
  Service name=Catalina

!-- A Connector represents an endpoint by which requests are received
 and responses are returned.  Each Connector passes requests on to
the
 associated Container (normally an Engine) for processing.

 By default, a non-SSL HTTP/1.1 Connector is established on port
8080.
 You can also enable an SSL HTTP/1.1 Connector on port!8443 by
 following the instructions below and uncommenting the second
Connector
 entry.  SSL support!requires the following steps (see the SSL
Config
 HOWTO in the Tomcat 5 documentation bundle for more detailed
 instructions):
 * If your JDK version 1.3 or prior, download and install JSSE 1.0.2
or
   later, and put the JAR files into $JAVA_HOME/jre/lib/ext.
 * Execute:
 %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
(Windows)
 $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
(Unix)
   with a password value of changeit for both the certificate and
   the keystore itself.

 By default, DNS lookups are enabled when a web application calls
 request.getRemoteHost().  This can have an adverse impact on
 performance, so you can disable it by setting the
 enableLookups attribute to false.  When DNS lookups are
disabled,
 request.getRemoteHost() will return the String version of the
 IP address of the remote client.
--

!-- Define a non-SSL Coyote HTTP/1.1 Connector on port!8080 --
Connector port=8080
   maxThreads=150 minSpareThreads=25 maxSpareThreads=75
   enableLookups=false redirectPort=8443 acceptCount=100
   debug=0 connectionTimeout=2 
   disableUploadTimeout=true /
!-- Note : To disable connection timeouts, set connectionTimeout value
 to 0 --

!-- Note : To use gzip compression you could set the following
properties :

   compression=on 
   compressionMinSize=2048 
   noCompressionUserAgents=gozilla, traviata 
   compressableMimeType=text/html,text/xml
--

!-- Define a SSL Coyote HTTP/1.1 Connector on port!8443 --
!--
Connector port=8443 
   maxThreads=150 minSpareThreads=25 maxSpareThreads=75
   enableLookups=false disableUploadTimeout=true
   acceptCount=100 debug=0 scheme=https secure=true
   clientAuth=false sslProtocol=TLS /
--

!--

Re: Restrict access to webapps for IPs

2005-05-11 Thread Lutz Zetzsche 
Hi Jens,

Am Mittwoch, 11. Mai 2005 09:01 schrieb Altrock, Jens:
  -Ursprüngliche Nachricht-
  Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED]
  Gesendet: Mittwoch, 11. Mai 2005 08:50
  An: Tomcat Users List
  Betreff: Re: Restrict access to webapps for IPs
 
 
  Hi Jens,
 
  Am Mittwoch, 11. Mai 2005 08:17 schrieb Altrock, Jens:
   Ok tried it again.. first some more information:
   I am using Tomcat 5.0.28 on Redhat Fedora Core 3, installed in
   /usr/local/tomcat

[...]

   I have to mention that I did neither write that app nor know much
   about it anyway.. it uses a JDBC connection
   to a mysql database to write data to that db. But after
 
  creating that
 
   config file mentioned above, the
   JDBC driver didn't work anymore...
  
   Anyone can help me with that?
 
  It looks like your new Context definition is overriding an existing
  Context definition for this web application which contains
  the resource
  definition for the MySQL database.
 
  So you should have a look at your $CATALINA_HOME/conf/server.xml if
  there might be a existing Context definition inside the related
  Host element.

 I looked at the $CATALINA_HOME/conf/server.xml file, but can't find
 anything like that inside the HOST element. It's the standard
 server.xml file though, I don't know in what way a servlet itself can
 change that file; but I don't think it can.

  You should also look for a context.xml in the
  $CATALINA_HOME/webapps/[webapp]/META-INF/ directory for the same
  reason.

 I did, but there is none, and there never was one. That's what I
 thought first,
 but there's just a MANIFEST.MF file inside.

If the MySQL database base connection has worked before and will work 
again, when you remove your newly created Context file, then there has 
to be a Resource definition for it somewhere.

As you are using Linux why don't you simply search the files in the 
$CATALINA_HOME directory for this Resource definition? I.e. like this:

grep -R mysql /usr/local/tomcat

This way, you should find the file defining the MySQL resource for your 
web application (context). Then proceed as I suggested.


Best wishes

Lutz

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE : Restrict access to webapps for IPs

2005-05-11 Thread LERBSCHER Jean-Pierre 
See
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/host.html#Automatic
Application Deployment

 When using automatic deployment, the docBase defined by an XML Context
file should be outside of the appBase directory. If this is not the case
difficulties may be experienced deploying the web application or the
application may be deployed twice.


-Message d'origine-
De : Altrock, Jens [mailto:[EMAIL PROTECTED] 
Envoyé : mercredi 11 mai 2005 09:01
À : 'Tomcat Users List'
Objet : AW: Restrict access to webapps for IPs

 -Ursprüngliche Nachricht-
 Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED]
 Gesendet: Mittwoch, 11. Mai 2005 08:50
 An: Tomcat Users List
 Betreff: Re: Restrict access to webapps for IPs
 
 
 Hi Jens,
 
 Am Mittwoch, 11. Mai 2005 08:17 schrieb Altrock, Jens:
  Ok tried it again.. first some more information:
  I am using Tomcat 5.0.28 on Redhat Fedora Core 3, installed in
  /usr/local/tomcat
 
  I created a XML file called application.xml in
  /usr/local/tomcat/conf/Catalina/localhost
  where application is the name of the webapp. That worked so far.
  The file consisted just of a few lines:
 
  Context path=/NetAdmin 
 docBase=${catalina.home}/webapps/NetAdmin
  debug=0 privileged=true
Valve className=org.apache.catalina.valves.RemoteAddrValve
  allow=192.100.46.*,172.16.*.*,194.25.29.*,127.0.0.1/
  /Context
 
  I have to mention that I did neither write that app nor know much
  about it anyway.. it uses a JDBC connection
  to a mysql database to write data to that db. But after 
 creating that
  config file mentioned above, the
  JDBC driver didn't work anymore...
 
  Anyone can help me with that?
 
 It looks like your new Context definition is overriding an existing 
 Context definition for this web application which contains 
 the resource 
 definition for the MySQL database.
 
 So you should have a look at your $CATALINA_HOME/conf/server.xml if 
 there might be a existing Context definition inside the related Host 
 element.


I looked at the $CATALINA_HOME/conf/server.xml file, but can't find anything
like that inside the HOST element. It's the standard server.xml file though,
I don't know in what way a servlet itself can change that file; but I don't 
think it can.
 
 You should also look for a context.xml in the 
 $CATALINA_HOME/webapps/[webapp]/META-INF/ directory for the same 
 reason.
 

I did, but there is none, and there never was one. That's what I thought
first,
but there's just a MANIFEST.MF file inside.

 If you will find an existing Context definition, then insert 
 your valve 
 filter there and delete you newly created application.xml.
 
 
 Best wishes
 
 Lutz
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 

I attached the server.xml and the application's xml file to the mail though.

Regards,

Jens

###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: Restrict access to webapps for IPs

2005-05-11 Thread Altrock, Jens 
Ok, thanks again. Got it now working :)


 -Ursprüngliche Nachricht-
 Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED]
 Gesendet: Mittwoch, 11. Mai 2005 09:35
 An: Tomcat Users List
 Betreff: Re: Restrict access to webapps for IPs


 Hi Jens,

 Am Mittwoch, 11. Mai 2005 09:01 schrieb Altrock, Jens:
   -Ursprüngliche Nachricht-
   Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED]
   Gesendet: Mittwoch, 11. Mai 2005 08:50
   An: Tomcat Users List
   Betreff: Re: Restrict access to webapps for IPs
  
  
   Hi Jens,
  
   Am Mittwoch, 11. Mai 2005 08:17 schrieb Altrock, Jens:
Ok tried it again.. first some more information:
I am using Tomcat 5.0.28 on Redhat Fedora Core 3, installed in
/usr/local/tomcat

 [...]

I have to mention that I did neither write that app nor
 know much
about it anyway.. it uses a JDBC connection
to a mysql database to write data to that db. But after
  
   creating that
  
config file mentioned above, the
JDBC driver didn't work anymore...
   
Anyone can help me with that?
  
   It looks like your new Context definition is overriding
 an existing
   Context definition for this web application which contains
   the resource
   definition for the MySQL database.
  
   So you should have a look at your
 $CATALINA_HOME/conf/server.xml if
   there might be a existing Context definition inside the related
   Host element.
 
  I looked at the $CATALINA_HOME/conf/server.xml file, but can't find
  anything like that inside the HOST element. It's the standard
  server.xml file though, I don't know in what way a servlet
 itself can
  change that file; but I don't think it can.
 
   You should also look for a context.xml in the
   $CATALINA_HOME/webapps/[webapp]/META-INF/ directory for the same
   reason.
 
  I did, but there is none, and there never was one. That's what I
  thought first,
  but there's just a MANIFEST.MF file inside.

 If the MySQL database base connection has worked before and will work 
 again, when you remove your newly created Context file, then
 there has
 to be a Resource definition for it somewhere.

 As you are using Linux why don't you simply search the files in the
 $CATALINA_HOME directory for this Resource definition? I.e. like this:

   grep -R mysql /usr/local/tomcat

 This way, you should find the file defining the MySQL
 resource for your
 web application (context). Then proceed as I suggested.


 Best wishes

 Lutz

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Restrict access to webapps for IPs

2005-05-10 Thread Altrock, Jens 
Hi there,

Hope this question won't sound as dumb, for I am completely new to Tomcat;
and I haven't found 
what I was searching for in the documentation though...

I got four different applications/websites in the Tomcat webapps directory,
let's just call them A,
B, C and D. 
The applications A, B and C should be accessible from the networks
192.100.46.0/24 
as well as 172.16.0.0/16
But application D should be accessible from anywhere.

Is there any way to do this in tomcat? I tried with the apache .htaccess
files, but that won't work though.

Hope anyone can help me

Regards,

Jens Altrock


###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Restrict access to webapps for IPs

2005-05-10 Thread Tim Funk 
http://jakarta.apache.org/tomcat/faq/security.html#restrict
-Tim
Altrock, Jens wrote:
Hi there,
Hope this question won't sound as dumb, for I am completely new to Tomcat;
and I haven't found 
what I was searching for in the documentation though...

I got four different applications/websites in the Tomcat webapps directory,
let's just call them A,
B, C and D. 
The applications A, B and C should be accessible from the networks
192.100.46.0/24 
as well as 172.16.0.0/16
But application D should be accessible from anywhere.

Is there any way to do this in tomcat? I tried with the apache .htaccess
files, but that won't work though.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: Restrict access to webapps for IPs

2005-05-10 Thread Altrock, Jens 
That's what I already read, but there's never said in which config files
to put that in, nor are there any examples... or didn't I see them too?

Jens


 -Ursprüngliche Nachricht-
 Von: Tim Funk [mailto:[EMAIL PROTECTED]
 Gesendet: Dienstag, 10. Mai 2005 14:42
 An: Tomcat Users List
 Betreff: Re: Restrict access to webapps for IPs


 http://jakarta.apache.org/tomcat/faq/security.html#restrict

 -Tim

 Altrock, Jens wrote:
  Hi there,
 
  Hope this question won't sound as dumb, for I am completely
 new to Tomcat;
  and I haven't found
  what I was searching for in the documentation though...
 
  I got four different applications/websites in the Tomcat
 webapps directory,
  let's just call them A,
  B, C and D.
  The applications A, B and C should be accessible from the networks
  192.100.46.0/24
  as well as 172.16.0.0/16
  But application D should be accessible from anywhere.
 
  Is there any way to do this in tomcat? I tried with the
 apache .htaccess
  files, but that won't work though.
 

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: AW: Restrict access to webapps for IPs

2005-05-10 Thread Tim Funk 
Can be placed in either server.xml, the context declaration for the webapp 
(or both)

Valve className=org.apache.catalina.valves.RemoteAddrValve
allow=127.0.0.1/
-Tim
Altrock, Jens wrote:
That's what I already read, but there's never said in which config files
to put that in, nor are there any examples... or didn't I see them too?
Jens

-Ursprüngliche Nachricht-
Von: Tim Funk [mailto:[EMAIL PROTECTED]
Gesendet: Dienstag, 10. Mai 2005 14:42
An: Tomcat Users List
Betreff: Re: Restrict access to webapps for IPs
http://jakarta.apache.org/tomcat/faq/security.html#restrict
-Tim
Altrock, Jens wrote:
Hi there,
Hope this question won't sound as dumb, for I am completely 
new to Tomcat;
and I haven't found 
what I was searching for in the documentation though...

I got four different applications/websites in the Tomcat 
webapps directory,
let's just call them A,
B, C and D. 
The applications A, B and C should be accessible from the networks
192.100.46.0/24 
as well as 172.16.0.0/16
But application D should be accessible from anywhere.

Is there any way to do this in tomcat? I tried with the 
apache .htaccess
files, but that won't work though.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.
This message has been scanned by F-Secure Anti-Virus.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Restrict access to webapps for IPs

2005-05-10 Thread Lutz Zetzsche 
Hi Jens,

Altrock, Jens schrieb:
 That's what I already read, but there's never said in which config files
 to put that in, nor are there any examples... or didn't I see them too?

What you are looking for is the RemoteAddrValve valve:

http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/valve.html#Remote%20Address%20Filter

Reading your first mail, the right place for the RemoteAddrValve valve
should be within the Context element in your case, although it can also
used for the Host or even the Engine. Each Context element is representing
a web application. For more information, please read the following page
which also explains where to store the Context element:

http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/context.html

Please not that the above two links refer to Tomcat version 5.5. The
information on these pages may not suit previous Tomcat versions. If you
use a Tomcat version prior to 5.5, please consult the respective
documentation.


Best wishes

Lutz




 -Ursprüngliche Nachricht-
 Von: Tim Funk [mailto:[EMAIL PROTECTED]
 Gesendet: Dienstag, 10. Mai 2005 14:42
 An: Tomcat Users List
 Betreff: Re: Restrict access to webapps for IPs


 http://jakarta.apache.org/tomcat/faq/security.html#restrict

 -Tim

 Altrock, Jens wrote:
  Hi there,
 
  Hope this question won't sound as dumb, for I am completely
 new to Tomcat;
  and I haven't found
  what I was searching for in the documentation though...
 
  I got four different applications/websites in the Tomcat
 webapps directory,
  let's just call them A,
  B, C and D.
  The applications A, B and C should be accessible from the networks
  192.100.46.0/24
  as well as 172.16.0.0/16
  But application D should be accessible from anywhere.
 
  Is there any way to do this in tomcat? I tried with the
 apache .htaccess
  files, but that won't work though.
 

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

 ###
 Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

 This message has been scanned by F-Secure Anti-Virus.


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: AW: Restrict access to webapps for IPs

2005-05-10 Thread Altrock, Jens 
Ok, got that. But do I need to install the regular expressions library?
And how to say that I want a whole subnet to be added?


 -Ursprüngliche Nachricht-
 Von: Tim Funk [mailto:[EMAIL PROTECTED]
 Gesendet: Dienstag, 10. Mai 2005 14:56
 An: Tomcat Users List
 Betreff: Re: AW: Restrict access to webapps for IPs


 Can be placed in either server.xml, the context declaration
 for the webapp
 (or both)

 Valve className=org.apache.catalina.valves.RemoteAddrValve
  allow=127.0.0.1/

 -Tim

 Altrock, Jens wrote:

  That's what I already read, but there's never said in which
 config files
  to put that in, nor are there any examples... or didn't I
 see them too?
 
  Jens
 
 
 
 -Ursprüngliche Nachricht-
 Von: Tim Funk [mailto:[EMAIL PROTECTED]
 Gesendet: Dienstag, 10. Mai 2005 14:42
 An: Tomcat Users List
 Betreff: Re: Restrict access to webapps for IPs
 
 
 http://jakarta.apache.org/tomcat/faq/security.html#restrict
 
 -Tim
 
 Altrock, Jens wrote:
 
 Hi there,
 
 Hope this question won't sound as dumb, for I am completely
 
 new to Tomcat;
 
 and I haven't found
 what I was searching for in the documentation though...
 
 I got four different applications/websites in the Tomcat
 
 webapps directory,
 
 let's just call them A,
 B, C and D.
 The applications A, B and C should be accessible from the networks
 192.100.46.0/24
 as well as 172.16.0.0/16
 But application D should be accessible from anywhere.
 
 Is there any way to do this in tomcat? I tried with the
 
 apache .htaccess
 
 files, but that won't work though.
 
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 
  ###
  Diese Nachricht wurde von F-Secure Anti-Virus gescannt.
 
  This message has been scanned by F-Secure Anti-Virus.
 
 
 
 -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 
 
 

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Restrict access to webapps for IPs

2005-05-10 Thread Lutz Zetzsche 
Hi Jens,

Altrock, Jens schrieb:
 Ok, got that. But do I need to install the regular expressions library?

To my practical knowledge, the RemoteAddrValve will work out of the box.
You don't have to install additional libraries to get it work.


 And how to say that I want a whole subnet to be added?

For allowing a whole subnet, just use an asterisk in the allow attribute
value:

 Valve ... allow=192.168.0.*/


Lutz


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: Restrict access to webapps for IPs

2005-05-10 Thread Altrock, Jens 
Hm... won't work :(

I added to noe of the apps in webapps/name_of_app/WEB-INF/web.xml the
following:

Valve className=org.apache.catalina.valves.RemoteAddrValve
allow=192.100.46.*/

right after the web-app tag in the xml file.
But people can access that application from the internet anyway...


 -Ursprüngliche Nachricht-
 Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED]
 Gesendet: Dienstag, 10. Mai 2005 16:00
 An: Tomcat Users List
 Betreff: Re: Restrict access to webapps for IPs


 Hi Jens,

 Altrock, Jens schrieb:
  Ok, got that. But do I need to install the regular
 expressions library?

 To my practical knowledge, the RemoteAddrValve will work out
 of the box.
 You don't have to install additional libraries to get it work.


  And how to say that I want a whole subnet to be added?

 For allowing a whole subnet, just use an asterisk in the
 allow attribute
 value:

  Valve ... allow=192.168.0.*/


 Lutz


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Restrict access to webapps for IPs

2005-05-10 Thread Raghupathy,Gurumoorthy 
Nopt in web.xml but in server.xml in your context/context


-Original Message-
From: Altrock, Jens [mailto:[EMAIL PROTECTED] 
Sent: 10 May 2005 15:13
To: 'Tomcat Users List'
Subject: AW: Restrict access to webapps for IPs


Hm... won't work :(

I added to noe of the apps in webapps/name_of_app/WEB-INF/web.xml the
following:

Valve className=org.apache.catalina.valves.RemoteAddrValve
allow=192.100.46.*/

right after the web-app tag in the xml file.
But people can access that application from the internet anyway...


 -Ursprüngliche Nachricht-
 Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED]
 Gesendet: Dienstag, 10. Mai 2005 16:00
 An: Tomcat Users List
 Betreff: Re: Restrict access to webapps for IPs
 
 
 Hi Jens,
 
 Altrock, Jens schrieb:
  Ok, got that. But do I need to install the regular 
 expressions library?
 
 To my practical knowledge, the RemoteAddrValve will work out 
 of the box.
 You don't have to install additional libraries to get it work.
 
 
  And how to say that I want a whole subnet to be added?
 
 For allowing a whole subnet, just use an asterisk in the 
 allow attribute
 value:
 
  Valve ... allow=192.168.0.*/
 
 
 Lutz
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Restrict access to webapps for IPs

2005-05-10 Thread Lutz Zetzsche 
Hi Jens,

Altrock, Jens schrieb:
 Hm... won't work :(

 I added to noe of the apps in webapps/name_of_app/WEB-INF/web.xml the
 following:

 Valve className=org.apache.catalina.valves.RemoteAddrValve
 allow=192.100.46.*/

 right after the web-app tag in the xml file.
 But people can access that application from the internet anyway...

You have put the Valve element into the wrong file resp. place. It cannot
be nested into the web-app element and cannot be placed in the web.xml.
You have to nest it into a engine, host oder context element.

In your case, you have to nest it into the context element because you
want to apply the filter rule to a web application which is equivalent to
the context element in Tomcat terms.

You should have a look at one of the links I mentioned to find the right
place for the Valve element:

http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/context.html

Try one of these options offered on this page (refers to Tomcat version 5.5):

* in individual files (with a .xml extension) in the
$CATALINA_HOME/conf/[enginename]/[hostname]/ directory
* if the previous file was not found for this application, in individual
file at /META-INF/context.xml inside the application files


Best wishes

Lutz


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Restrict access to webapps for IPs

2005-05-10 Thread Lutz Zetzsche 
Hi,

Raghupathy,Gurumoorthy schrieb:
 Nopt in web.xml but in server.xml in your context/context

As regards the server.xml, this depends on the Tomcat version, you are
using. The documentation emphasizes:

Please note that for tomcat 5, unlike tomcat 4.x, it is NOT recommended
to place Context elements directly in the server.xml file.

- http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/context.html


Best wishes

Lutz


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]