Jaikit You can ask Catalina to check the IP address, or host name, on every incoming request directed to the surrounding elements <a href="engine.html">Engine</a>, <a href="host.html">Host</a>, or <a href="context.html">Context</a> element. The remote address or name will be checked against a configured list of "allow" and/or "deny" filters, which are defined using the Regular Expression syntax supported by the <a href="http://jakarta.apache.org/regexp/">Jakarta Regexp</a> regular expression library. Requests that come from locations that are not accepted will be rejected with an HTTP "Forbidden" error. Example filter declarations:.
e.g <Host name="localhost" ...> ... <Valve className="org.apache.catalina.valves.RemoteHostValve" allow="*.mycompany.com,www.yourcompany.com"/> <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="192.168.1.*"/> ... </Host> HTH, Martin > Date: Sat, 22 Sep 2012 23:36:33 -0700 > From: jaikit.sa...@yahoo.com > Subject: Re: Authenticate requests from localhost using tomcat > RemoteAddrFilter > To: users@tomcat.apache.org > > I have not yet tried playing with firewall. > I was thinking in the lines of adding capability in filter to find if the > request originated from localhost. Right now it just does string comparison. > > Jaikit > > > ----- Original Message ----- > From: Ralph Plawetzki <ra...@purejava.org> > To: Tomcat Users List <users@tomcat.apache.org> > Cc: > Sent: Saturday, September 22, 2012 10:41 PM > Subject: Re: Authenticate requests from localhost using tomcat > RemoteAddrFilter > > Jaikit, > > Am 23.09.2012 00:04, schrieb Jaikit Savla: > > Hello Users, > > > > I have some admin api's which I want to have restricted access - such that > > only if the request originates from localhost - it will execute. > > For that I am using tomcat's RemoteAddrfilter > what exactly do you mean with admin api's? > > > <filter> > > <filter-name>Remote Address Filter</filter-name> > > > > <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class> > > <init-param> > > <param-name>allow</param-name> > > <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value> > > </init-param> > > </filter> > > <filter-mapping> > > <filter-name>Remote Address Filter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > </filter> > see http://www.oracle.com/technetwork/java/filters-137243.html > „A filter dynamically intercepts requests and responses to transform or > use the information contained in the requests or responses.” So this Is > something that is part of a web application which is running on tomcat. > > > Now when I execute the request from localhost - request fails with 403. > > Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter > > does string comparison of ip. Hence it fails. > > Any clue on how to resolve this use case ? > > > > > > > > > > -bash-4.1$ curl -v http://localhost/ws/local/info > > * About to connect() to localhost port 80 (#0) > > * Trying 127.0.0.1... connected > > * Connected to localhost (127.0.0.1) port 80 (#0) > >> GET /ws/local/vip/info HTTP/1.1 > >> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 > >> OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2 > >> Host: localhost > >> Accept: */* > >> > > < HTTP/1.1 403 Forbidden > > I am guessing here: if you want to restrict access to your tomcat server > to certain clients, you could solve this by configuring your firewall > accordingly. > > Ralph > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >