Re: IP based request filters for admin/manager
Thanks for the suggestions Chuck. Below is my reply inline. As you may have guessed out I am a newbie and this is turning out to be really interesting and educational. :) -- jM. On Sun, Jul 18, 2010 at 12:31 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Johan Martinez [mailto:jmart...@gmail.com] Subject: Re: IP based request filters for admin/manager I don't want to replace the default ROOT webapp, in other words, I don't want my specific webapp to be ROOT app. A little odd, but if that's your choice... There are multiple webapps and all are being deployed/accessed using some specific names. Clients are configured with these specific URL patterns. So ROOT webapp is not needed. But I would like to restrict/hide information normally exposed by the default ROOT webapp. All of what Tomcat's default ROOT has, or just some of it? For all of it, just place a Context element in webapps/ROOT/META-INF/context.xml, configuring the valve you already know about. (Do not use path or docBase attributes here - they're not allowed.) If you only want to restrict some of it, but don't want to use authentication, you'll need to write a more sophisticated filter. There's no need to move or rename ROOT, unless you're just trying to obscure things (and security through obscurity is a fool's game). Thanks for pointing out this approach. I removed 'manager' from webapps directory. What version of Tomcat are you using? If you're using 5.5.x (hinted at by your previous message's reference to a doc page), the manager webapp is in server/webapps, not the regular webapps directory. If you're using a newer Tomcat (and you probably should be), manager is under the regular webapps directory. Now I am not able to access http://hostname/manager You never could - that will always get you a 404 (at least until Tomcat 7.0.1 comes out). but http://hostname/manager/html works. That's the valid URL for the manager GUI. Looks like you didn't really get rid of it. Checked $CATALINA_HOME/conf/Catalina/localhost/manager.xml and found Context docBase=${catalina.home}/server/webapps/manager entry. I thought I removed manager app, but not really... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP based request filters for admin/manager
* I put following in the $CATALINA_HOME/webapps/ROOT/META-INF/context.xml , but it's not working. Context Value className=org.apache.catalina.valves.RemoteAddrValue allow=ip.addr. deny=/ /Context Also, this file is not being copied as $CATALINA_HOME/conf/Catalina/localhost/ROOT.xml. * In addition to above file , I modified $CATALINA_HOME/conf/Catalina/localhost/manager.xml and $CATALINA_HOME/conf/Catalina/localhost/host-manager.xml as well, but that's not working either. Am I missing anything? -- jM. On Sun, Jul 18, 2010 at 1:00 AM, Johan Martinez jmart...@gmail.com wrote: Thanks for the suggestions Chuck. Below is my reply inline. As you may have guessed out I am a newbie and this is turning out to be really interesting and educational. :) -- jM. On Sun, Jul 18, 2010 at 12:31 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Johan Martinez [mailto:jmart...@gmail.com] Subject: Re: IP based request filters for admin/manager I don't want to replace the default ROOT webapp, in other words, I don't want my specific webapp to be ROOT app. A little odd, but if that's your choice... There are multiple webapps and all are being deployed/accessed using some specific names. Clients are configured with these specific URL patterns. So ROOT webapp is not needed. But I would like to restrict/hide information normally exposed by the default ROOT webapp. All of what Tomcat's default ROOT has, or just some of it? For all of it, just place a Context element in webapps/ROOT/META-INF/context.xml, configuring the valve you already know about. (Do not use path or docBase attributes here - they're not allowed.) If you only want to restrict some of it, but don't want to use authentication, you'll need to write a more sophisticated filter. There's no need to move or rename ROOT, unless you're just trying to obscure things (and security through obscurity is a fool's game). Thanks for pointing out this approach. I removed 'manager' from webapps directory. What version of Tomcat are you using? If you're using 5.5.x (hinted at by your previous message's reference to a doc page), the manager webapp is in server/webapps, not the regular webapps directory. If you're using a newer Tomcat (and you probably should be), manager is under the regular webapps directory. Now I am not able to access http://hostname/manager You never could - that will always get you a 404 (at least until Tomcat 7.0.1 comes out). but http://hostname/manager/html works. That's the valid URL for the manager GUI. Looks like you didn't really get rid of it. Checked $CATALINA_HOME/conf/Catalina/localhost/manager.xml and found Context docBase=${catalina.home}/server/webapps/manager entry. I thought I removed manager app, but not really... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Terminate sessions of particular domain
Dear friends, I want to terminate the sessions of a particular domain name / webapp. How can i do so. also can i do so while tomcat is running. Pl. advice.i am using tomcat 5.5 on centos / linux -- Thanks and kind Regards, Abhishek jain
Re: Terminate sessions of particular domain
abhishek jain wrote: Dear friends, I want to terminate the sessions of a particular domain name / webapp. I am not sure exactly what you want to do, but anyway I think you should be a bit more clear as to where / when / why you want to terminate these sessions. How can i do so. also can i do so while tomcat is running. It would be hard to terminate sessions if Tomcat is not running. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Terminate sessions of particular domain
From: abhishek jain [mailto:abhishek.netj...@gmail.com] Subject: Terminate sessions of particular domain I want to terminate the sessions of a particular domain name / webapp. How can i do so. also can i do so while tomcat is running. Pl. advice.i am using tomcat 5.5 on centos / linux In 5.5, you can use LambdaProbe to manipulate active sessions. Consider moving up to Tomcat 6.0, where session management is available from Tomcat's built-in manager webapp. Use the List Applications page, and click on the session count field to display the sessions for a particular webapp. From there you can expire whatever sessions you want. You can also access the session information via JMX (e.g., JConsole). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP based request filters for admin/manager
2010/7/18 Johan Martinez jmart...@gmail.com: I was wondering how to configure Request Filters to allow access to admin, manager, status-report, etc... I followed tomcat doc: http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters and I was able to restrict access by specifying webapp names, e.g.: [[[ Context path=/manager Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127.0.0.1 deny=/ /Context ]]] as said in http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html#Remote%20Address%20Filter the allow and deny attributes are regular expressions. So, '.' has to be escaped as '\.'. (an example in http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters is wrong) I would recommend to omit the deny attribute instead of setting it to an empty string. If there are doubts, the source code for the classes is available. * I put following in the $CATALINA_HOME/webapps/ROOT/META-INF/context.xml , but it's not working. (...) Also, this file is not being copied as $CATALINA_HOME/conf/Catalina/localhost/ROOT.xml. The file in /conf/ takes priority over the one in the webapp's META-INF, because it can be edited by a local administrator. The copying from webapp's META-INF to tomcat's conf/ occurs only when the file in conf/ does not exist, e.g. when a new web application is deployed. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: IP based request filters for admin/manager
I don't have a solution, but just wanted to comment that examples in the doc are correct. See API doc: http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/valves/RequestFilterValve.html#allow The 'allow' field uses String expression and 'allows' uses Java Regex package. I have seen similar problems with Tomcat 5.527/28 and 6.0 on CentOS and Ubuntu, but they were not consistent to reproduce. Packages were downloaded from tomcat site and were not platform specific builds. I was running tomcat on non-standard port (not 8080 port) though. -- Shantanu Pavgi. From: Konstantin Kolinko [knst.koli...@gmail.com] Sent: Sunday, July 18, 2010 11:16 AM To: Tomcat Users List Subject: Re: IP based request filters for admin/manager 2010/7/18 Johan Martinez jmart...@gmail.com: I was wondering how to configure Request Filters to allow access to admin, manager, status-report, etc... I followed tomcat doc: http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters and I was able to restrict access by specifying webapp names, e.g.: [[[ Context path=/manager Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127.0.0.1 deny=/ /Context ]]] as said in http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html#Remote%20Address%20Filter the allow and deny attributes are regular expressions. So, '.' has to be escaped as '\.'. (an example in http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters is wrong) I would recommend to omit the deny attribute instead of setting it to an empty string. If there are doubts, the source code for the classes is available. * I put following in the $CATALINA_HOME/webapps/ROOT/META-INF/context.xml , but it's not working. (...) Also, this file is not being copied as $CATALINA_HOME/conf/Catalina/localhost/ROOT.xml. The file in /conf/ takes priority over the one in the webapp's META-INF, because it can be edited by a local administrator. The copying from webapp's META-INF to tomcat's conf/ occurs only when the file in conf/ does not exist, e.g. when a new web application is deployed. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP based request filters for admin/manager
2010/7/18 Shantanu Pavgi pa...@uab.edu: I don't have a solution, but just wanted to comment that examples in the doc are correct. See API doc: http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/valves/RequestFilterValve.html#allow The 'allow' field uses String expression and 'allows' uses Java Regex package. It is the same value. allows is created from allow, by splitting the value at commas and converting each one into a regex. There is setAllow(..), but there is no setAllows(...) setter method. http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/valves/RequestFilterValve.java?view=markup 143 public void setAllow(String allow) { 145 this.allow = allow; 146 allows = precalculate(allow); 148 } 218 protected Pattern[] precalculate(String list) { (...) 232 String pattern = list.substring(0, comma).trim(); 234 reList.add(Pattern.compile(pattern)); Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP based request filters for admin/manager
Started afresh and got it working finally. I tried with and without escape character and both worked. Thanks, jM. On Sun, Jul 18, 2010 at 1:09 PM, Konstantin Kolinko knst.koli...@gmail.comwrote: 2010/7/18 Shantanu Pavgi pa...@uab.edu: I don't have a solution, but just wanted to comment that examples in the doc are correct. See API doc: http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/valves/RequestFilterValve.html#allow The 'allow' field uses String expression and 'allows' uses Java Regex package. It is the same value. allows is created from allow, by splitting the value at commas and converting each one into a regex. There is setAllow(..), but there is no setAllows(...) setter method. http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/valves/RequestFilterValve.java?view=markup 143 public void setAllow(String allow) { 145 this.allow = allow; 146 allows = precalculate(allow); 148 } 218 protected Pattern[] precalculate(String list) { (...) 232 String pattern = list.substring(0, comma).trim(); 234 reList.add(Pattern.compile(pattern)); Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org