AW: Restrict access to webapps for IPs
Ok tried it again.. first some more information:
I am using Tomcat 5.0.28 on Redhat Fedora Core 3, installed in
/usr/local/tomcat
I created a XML file called application.xml in
/usr/local/tomcat/conf/Catalina/localhost
where application is the name of the webapp. That worked so far. The file
consisted just of a few lines:
Context path=/NetAdmin docBase=${catalina.home}/webapps/NetAdmin
debug=0 privileged=true
Valve className=org.apache.catalina.valves.RemoteAddrValve
allow=192.100.46.*,172.16.*.*,194.25.29.*,127.0.0.1/
/Context
I have to mention that I did neither write that app nor know much about it
anyway.. it uses a JDBC connection
to a mysql database to write data to that db. But after creating that config
file mentioned above, the
JDBC driver didn't work anymore...
Anyone can help me with that?
Regards,
Jens
-Ursprüngliche Nachricht-
Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED]
Gesendet: Dienstag, 10. Mai 2005 16:24
An: Tomcat Users List
Betreff: Re: Restrict access to webapps for IPs
Hi Jens,
Altrock, Jens schrieb:
Hm... won't work :(
I added to noe of the apps in
webapps/name_of_app/WEB-INF/web.xml the
following:
Valve className=org.apache.catalina.valves.RemoteAddrValve
allow=192.100.46.*/
right after the web-app tag in the xml file.
But people can access that application from the internet anyway...
You have put the Valve element into the wrong file resp.
place. It cannot
be nested into the web-app element and cannot be placed in
the web.xml.
You have to nest it into a engine, host oder context element.
In your case, you have to nest it into the context element
because you
want to apply the filter rule to a web application which is
equivalent to
the context element in Tomcat terms.
You should have a look at one of the links I mentioned to
find the right
place for the Valve element:
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/context.html
Try one of these options offered on this page (refers to
Tomcat version 5.5):
* in individual files (with a .xml extension) in the
$CATALINA_HOME/conf/[enginename]/[hostname]/ directory
* if the previous file was not found for this application, in
individual
file at /META-INF/context.xml inside the application files
Best wishes
Lutz
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.
This message has been scanned by F-Secure Anti-Virus.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
AW: Restrict access to webapps for IPs
-Ursprüngliche Nachricht-
Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 11. Mai 2005 08:50
An: Tomcat Users List
Betreff: Re: Restrict access to webapps for IPs
Hi Jens,
Am Mittwoch, 11. Mai 2005 08:17 schrieb Altrock, Jens:
Ok tried it again.. first some more information:
I am using Tomcat 5.0.28 on Redhat Fedora Core 3, installed in
/usr/local/tomcat
I created a XML file called application.xml in
/usr/local/tomcat/conf/Catalina/localhost
where application is the name of the webapp. That worked so far.
The file consisted just of a few lines:
Context path=/NetAdmin
docBase=${catalina.home}/webapps/NetAdmin
debug=0 privileged=true
Valve className=org.apache.catalina.valves.RemoteAddrValve
allow=192.100.46.*,172.16.*.*,194.25.29.*,127.0.0.1/
/Context
I have to mention that I did neither write that app nor know much
about it anyway.. it uses a JDBC connection
to a mysql database to write data to that db. But after
creating that
config file mentioned above, the
JDBC driver didn't work anymore...
Anyone can help me with that?
It looks like your new Context definition is overriding an existing
Context definition for this web application which contains
the resource
definition for the MySQL database.
So you should have a look at your $CATALINA_HOME/conf/server.xml if
there might be a existing Context definition inside the related Host
element.
I looked at the $CATALINA_HOME/conf/server.xml file, but can't find anything
like that inside the HOST element. It's the standard server.xml file though,
I don't know in what way a servlet itself can change that file; but I don't
think it can.
You should also look for a context.xml in the
$CATALINA_HOME/webapps/[webapp]/META-INF/ directory for the same
reason.
I did, but there is none, and there never was one. That's what I thought
first,
but there's just a MANIFEST.MF file inside.
If you will find an existing Context definition, then insert
your valve
filter there and delete you newly created application.xml.
Best wishes
Lutz
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
I attached the server.xml and the application's xml file to the mail though.
Regards,
Jens
###
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.
This message has been scanned by F-Secure Anti-Virus.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
AW: Restrict access to webapps for IPs
Hm didn't attach them.. So here they are: Server.xml: !-- Example Server Configuration File -- !-- Note that component elements are nested corresponding to their parent-child relationships with each other -- !-- A Server is a singleton element that represents the entire JVM, which may contain one or more Service instances. The Server listens for a shutdown command on the indicated port. Note: A Server is not itself a Container, so you may not define subcomponents such as Valves or Loggers at this level. -- Server port=8005 shutdown=SHUTDOWN debug=0 !-- Comment these entries out to disable JMX MBeans support!-- !-- You may also configure custom components (e.g. Valves/Realms) by including your own mbean-descriptor file(s), and setting the descriptors attribute to point to a ';' seperated list of paths (in the ClassLoader sense) of files to add to the default list. e.g. descriptors=/com/myfirm/mypackage/mbean-descriptor.xml -- Listener className=org.apache.catalina.mbeans.ServerLifecycleListener debug=0/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener debug=0/ !-- Global JNDI resources -- GlobalNamingResources !-- Test entry for demonstration purposes -- Environment name=simpleValue type=java.lang.Integer value=30/ !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved /Resource ResourceParams name=UserDatabase parameter namefactory/name valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value /parameter parameter namepathname/name valueconf/tomcat-users.xml/value /parameter /ResourceParams /GlobalNamingResources !-- A Service is a collection of one or more Connectors that share a single Container (and therefore the web applications visible within that Container). Normally, that Container is an Engine, but this is not required. Note: A Service is not itself a Container, so you may not define subcomponents such as Valves or Loggers at this level. -- !-- Define the Tomcat Stand-Alone Service -- Service name=Catalina !-- A Connector represents an endpoint by which requests are received and responses are returned. Each Connector passes requests on to the associated Container (normally an Engine) for processing. By default, a non-SSL HTTP/1.1 Connector is established on port 8080. You can also enable an SSL HTTP/1.1 Connector on port!8443 by following the instructions below and uncommenting the second Connector entry. SSL support!requires the following steps (see the SSL Config HOWTO in the Tomcat 5 documentation bundle for more detailed instructions): * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or later, and put the JAR files into $JAVA_HOME/jre/lib/ext. * Execute: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) with a password value of changeit for both the certificate and the keystore itself. By default, DNS lookups are enabled when a web application calls request.getRemoteHost(). This can have an adverse impact on performance, so you can disable it by setting the enableLookups attribute to false. When DNS lookups are disabled, request.getRemoteHost() will return the String version of the IP address of the remote client. -- !-- Define a non-SSL Coyote HTTP/1.1 Connector on port!8080 -- Connector port=8080 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=8443 acceptCount=100 debug=0 connectionTimeout=2 disableUploadTimeout=true / !-- Note : To disable connection timeouts, set connectionTimeout value to 0 -- !-- Note : To use gzip compression you could set the following properties : compression=on compressionMinSize=2048 noCompressionUserAgents=gozilla, traviata compressableMimeType=text/html,text/xml -- !-- Define a SSL Coyote HTTP/1.1 Connector on port!8443 -- !-- Connector port=8443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS / -- !--
AW: Restrict access to webapps for IPs
Ok, thanks again. Got it now working :) -Ursprüngliche Nachricht- Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 11. Mai 2005 09:35 An: Tomcat Users List Betreff: Re: Restrict access to webapps for IPs Hi Jens, Am Mittwoch, 11. Mai 2005 09:01 schrieb Altrock, Jens: -Ursprüngliche Nachricht- Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 11. Mai 2005 08:50 An: Tomcat Users List Betreff: Re: Restrict access to webapps for IPs Hi Jens, Am Mittwoch, 11. Mai 2005 08:17 schrieb Altrock, Jens: Ok tried it again.. first some more information: I am using Tomcat 5.0.28 on Redhat Fedora Core 3, installed in /usr/local/tomcat [...] I have to mention that I did neither write that app nor know much about it anyway.. it uses a JDBC connection to a mysql database to write data to that db. But after creating that config file mentioned above, the JDBC driver didn't work anymore... Anyone can help me with that? It looks like your new Context definition is overriding an existing Context definition for this web application which contains the resource definition for the MySQL database. So you should have a look at your $CATALINA_HOME/conf/server.xml if there might be a existing Context definition inside the related Host element. I looked at the $CATALINA_HOME/conf/server.xml file, but can't find anything like that inside the HOST element. It's the standard server.xml file though, I don't know in what way a servlet itself can change that file; but I don't think it can. You should also look for a context.xml in the $CATALINA_HOME/webapps/[webapp]/META-INF/ directory for the same reason. I did, but there is none, and there never was one. That's what I thought first, but there's just a MANIFEST.MF file inside. If the MySQL database base connection has worked before and will work again, when you remove your newly created Context file, then there has to be a Resource definition for it somewhere. As you are using Linux why don't you simply search the files in the $CATALINA_HOME directory for this Resource definition? I.e. like this: grep -R mysql /usr/local/tomcat This way, you should find the file defining the MySQL resource for your web application (context). Then proceed as I suggested. Best wishes Lutz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: Restrict access to webapps for IPs
That's what I already read, but there's never said in which config files to put that in, nor are there any examples... or didn't I see them too? Jens -Ursprüngliche Nachricht- Von: Tim Funk [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 10. Mai 2005 14:42 An: Tomcat Users List Betreff: Re: Restrict access to webapps for IPs http://jakarta.apache.org/tomcat/faq/security.html#restrict -Tim Altrock, Jens wrote: Hi there, Hope this question won't sound as dumb, for I am completely new to Tomcat; and I haven't found what I was searching for in the documentation though... I got four different applications/websites in the Tomcat webapps directory, let's just call them A, B, C and D. The applications A, B and C should be accessible from the networks 192.100.46.0/24 as well as 172.16.0.0/16 But application D should be accessible from anywhere. Is there any way to do this in tomcat? I tried with the apache .htaccess files, but that won't work though. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Restrict access to webapps for IPs
Can be placed in either server.xml, the context declaration for the webapp (or both) Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127.0.0.1/ -Tim Altrock, Jens wrote: That's what I already read, but there's never said in which config files to put that in, nor are there any examples... or didn't I see them too? Jens -Ursprüngliche Nachricht- Von: Tim Funk [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 10. Mai 2005 14:42 An: Tomcat Users List Betreff: Re: Restrict access to webapps for IPs http://jakarta.apache.org/tomcat/faq/security.html#restrict -Tim Altrock, Jens wrote: Hi there, Hope this question won't sound as dumb, for I am completely new to Tomcat; and I haven't found what I was searching for in the documentation though... I got four different applications/websites in the Tomcat webapps directory, let's just call them A, B, C and D. The applications A, B and C should be accessible from the networks 192.100.46.0/24 as well as 172.16.0.0/16 But application D should be accessible from anywhere. Is there any way to do this in tomcat? I tried with the apache .htaccess files, but that won't work though. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: AW: Restrict access to webapps for IPs
Ok, got that. But do I need to install the regular expressions library? And how to say that I want a whole subnet to be added? -Ursprüngliche Nachricht- Von: Tim Funk [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 10. Mai 2005 14:56 An: Tomcat Users List Betreff: Re: AW: Restrict access to webapps for IPs Can be placed in either server.xml, the context declaration for the webapp (or both) Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127.0.0.1/ -Tim Altrock, Jens wrote: That's what I already read, but there's never said in which config files to put that in, nor are there any examples... or didn't I see them too? Jens -Ursprüngliche Nachricht- Von: Tim Funk [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 10. Mai 2005 14:42 An: Tomcat Users List Betreff: Re: Restrict access to webapps for IPs http://jakarta.apache.org/tomcat/faq/security.html#restrict -Tim Altrock, Jens wrote: Hi there, Hope this question won't sound as dumb, for I am completely new to Tomcat; and I haven't found what I was searching for in the documentation though... I got four different applications/websites in the Tomcat webapps directory, let's just call them A, B, C and D. The applications A, B and C should be accessible from the networks 192.100.46.0/24 as well as 172.16.0.0/16 But application D should be accessible from anywhere. Is there any way to do this in tomcat? I tried with the apache .htaccess files, but that won't work though. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: Restrict access to webapps for IPs
Hm... won't work :( I added to noe of the apps in webapps/name_of_app/WEB-INF/web.xml the following: Valve className=org.apache.catalina.valves.RemoteAddrValve allow=192.100.46.*/ right after the web-app tag in the xml file. But people can access that application from the internet anyway... -Ursprüngliche Nachricht- Von: Lutz Zetzsche [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 10. Mai 2005 16:00 An: Tomcat Users List Betreff: Re: Restrict access to webapps for IPs Hi Jens, Altrock, Jens schrieb: Ok, got that. But do I need to install the regular expressions library? To my practical knowledge, the RemoteAddrValve will work out of the box. You don't have to install additional libraries to get it work. And how to say that I want a whole subnet to be added? For allowing a whole subnet, just use an asterisk in the allow attribute value: Valve ... allow=192.168.0.*/ Lutz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
