Hi, You are right it does regrex matching. I wanted to say that it does not do any kind of dnslookup in filter. @configuration: I do not have any particular configuration or firewall set up. I have mentioned below output from tcpdump (listening on loopback interface) and as you can see it get ip address from eth1 interface. Since I have my hosts where this code will be deployed - adding ip to filter will be lot of work.
=============================== tcpdump -i lo No. Time Source Destination Protocol Length Info 46 0.822296 108.13.226.208 108.13.226.208 HTTP 270 GET /ws/local/vip/info HTTP/1.1 Frame 46: 270 bytes on wire (2160 bits), 270 bytes captured (2160 bits) Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00) Internet Protocol Version 4, Src: 108.13.226.208 (108.13.226.208), Dst: 108.13.226.208 (108.13.226.208) Transmission Control Protocol, Src Port: 16217 (16217), Dst Port: http (80), Seq: 1, Ack: 1, Len: 204 Hypertext Transfer Protocol ================================= -bash-4.1$ ifconfig eth1 Link encap:Ethernet HWaddr xx inet addr:108.13.226.208 Bcast:108.13.226.208 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:xx errors:0 dropped:91 overruns:0 frame:379 TX packets:xx errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:5000 RX bytes:xx (8.5 GiB) TX bytes:xx (6.2 GiB) Interrupt:17 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:xx errors:0 dropped:0 overruns:0 frame:0 TX packets:xx errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:xx (102.4 GiB) TX bytes:xx (102.4 GiB) Thanks ________________________________ From: Konstantin Kolinko <knst.koli...@gmail.com> To: Tomcat Users List <users@tomcat.apache.org> Sent: Sunday, September 23, 2012 6:52 AM Subject: Re: Authenticate requests from localhost using tomcat RemoteAddrFilter 2012/9/23 Jaikit Savla <jaikit.sa...@yahoo.com>: > Hello Users, > > I have some admin api's which I want to have restricted access - such that > only if the request originates from localhost - it will execute. > For that I am using tomcat's RemoteAddrfilter > > <filter> > <filter-name>Remote Address Filter</filter-name> > ><filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class> > <init-param> > <param-name>allow</param-name> > <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value> > </init-param> > </filter> > <filter-mapping> > <filter-name>Remote Address Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > </filter> > > Now when I execute the request from localhost - request fails with 403. > Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter > does string comparison of ip. Hence it fails. > Any clue on how to resolve this use case ? > 1. There must be some reason why "REMOTE_ADDR" has that value in your configuration. Your description is lacking. What is your configuration? 2. The filter does not do string comparison, but does regexp matching. Nothing prevents you from adding that additional value to the regular expression. > > > > -bash-4.1$ curl -v http://localhost/ws/local/info > * About to connect() to localhost port 80 (#0) > * Trying 127.0.0.1... connected > * Connected to localhost (127.0.0.1) port 80 (#0) >> GET /ws/local/vip/info HTTP/1.1 >> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 >> OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2 >> Host: localhost >> Accept: */* >> > < HTTP/1.1 403 Forbidden > > Appreciate any help. > > Thanks --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
