2012/9/23 Martin Gainty <mgai...@hotmail.com>: > > Jaikit > > You can ask Catalina to check the IP address, or host name, on every > incoming request directed to the surrounding elements > <a href="engine.html">Engine</a>, > <a href="host.html">Host</a>, or > <a href="context.html">Context</a> element. > The remote address or name will be checked against a configured list of > "allow" and/or "deny" filters, which are defined using the Regular Expression > syntax supported by the > <a href="http://jakarta.apache.org/regexp/";>Jakarta Regexp</a> regular > expression library. > Requests that come from locations that are not accepted will be rejected > with an HTTP "Forbidden" error. > Example filter declarations:. > > e.g > > <Host name="localhost" ...> > ... > <Valve className="org.apache.catalina.valves.RemoteHostValve" > allow="*.mycompany.com,www.yourcompany.com"/> > <Valve className="org.apache.catalina.valves.RemoteAddrValve" > deny="192.168.1.*"/> > ... > </Host> > > HTH, > Martin >
Martin, what crap of outdated documentation are you citing? 1. RemoteHostValve uses Java regexp implementation, not Jakarta one 2. Comma (,) is not a valid separator between values there in Tomcat 7. > > >> Date: Sat, 22 Sep 2012 23:36:33 -0700 >> From: jaikit.sa...@yahoo.com >> Subject: Re: Authenticate requests from localhost using tomcat >> RemoteAddrFilter >> To: users@tomcat.apache.org >> >> I have not yet tried playing with firewall. >> I was thinking in the lines of adding capability in filter to find if the >> request originated from localhost. Right now it just does string comparison. >> >> Jaikit >> >> >> ----- Original Message ----- >> From: Ralph Plawetzki <ra...@purejava.org> >> To: Tomcat Users List <users@tomcat.apache.org> >> Cc: >> Sent: Saturday, September 22, 2012 10:41 PM >> Subject: Re: Authenticate requests from localhost using tomcat >> RemoteAddrFilter >> >> Jaikit, >> >> Am 23.09.2012 00:04, schrieb Jaikit Savla: >> > Hello Users, >> > >> > I have some admin api's which I want to have restricted access - such that >> > only if the request originates from localhost - it will execute. >> > For that I am using tomcat's RemoteAddrfilter >> what exactly do you mean with admin api's? >> >> > <filter> >> > <filter-name>Remote Address Filter</filter-name> >> > >> > <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class> >> > <init-param> >> > <param-name>allow</param-name> >> > <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value> >> > </init-param> >> > </filter> >> > <filter-mapping> >> > <filter-name>Remote Address Filter</filter-name> >> > <url-pattern>/*</url-pattern> >> > </filter-mapping> >> > </filter> >> see http://www.oracle.com/technetwork/java/filters-137243.html >> „A filter dynamically intercepts requests and responses to transform or >> use the information contained in the requests or responses.” So this Is >> something that is part of a web application which is running on tomcat. >> >> > Now when I execute the request from localhost - request fails with 403. >> > Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter >> > does string comparison of ip. Hence it fails. >> > Any clue on how to resolve this use case ? >> > >> > >> > >> > >> > -bash-4.1$ curl -v http://localhost/ws/local/info >> > * About to connect() to localhost port 80 (#0) >> > * Trying 127.0.0.1... connected >> > * Connected to localhost (127.0.0.1) port 80 (#0) >> >> GET /ws/local/vip/info HTTP/1.1 >> >> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 >> >> OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2 >> >> Host: localhost >> >> Accept: */* >> >> >> > < HTTP/1.1 403 Forbidden >> >> I am guessing here: if you want to restrict access to your tomcat server >> to certain clients, you could solve this by configuring your firewall >> accordingly. >> >> Ralph >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
