Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
I have not yet tried playing with firewall. I was thinking in the lines of adding capability in filter to find if the request originated from localhost. Right now it just does string comparison. Jaikit - Original Message - From: Ralph Plawetzki To: Tomcat Users List Cc: Sent: Saturday, September 22, 2012 10:41 PM Subject: Re: Authenticate requests from localhost using tomcat RemoteAddrFilter Jaikit, Am 23.09.2012 00:04, schrieb Jaikit Savla: > Hello Users, > > I have some admin api's which I want to have restricted access - such that > only if the request originates from localhost - it will execute. > For that I am using tomcat's RemoteAddrfilter what exactly do you mean with admin api's? > > Remote Address Filter > >org.apache.catalina.filters.RemoteAddrFilter > > allow > 127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 > > > > Remote Address Filter > /* > > see http://www.oracle.com/technetwork/java/filters-137243.html „A filter dynamically intercepts requests and responses to transform or use the information contained in the requests or responses.” So this Is something that is part of a web application which is running on tomcat. > Now when I execute the request from localhost - request fails with 403. > Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter > does string comparison of ip. Hence it fails. > Any clue on how to resolve this use case ? > > > > > -bash-4.1$ curl -v http://localhost/ws/local/info > * About to connect() to localhost port 80 (#0) > * Trying 127.0.0.1... connected > * Connected to localhost (127.0.0.1) port 80 (#0) >> GET /ws/local/vip/info HTTP/1.1 >> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 >> OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2 >> Host: localhost >> Accept: */* >> > < HTTP/1.1 403 Forbidden I am guessing here: if you want to restrict access to your tomcat server to certain clients, you could solve this by configuring your firewall accordingly. Ralph - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Authenticate requests from localhost using tomcat RemoteAddrFilter
Jaikit, Am 23.09.2012 00:04, schrieb Jaikit Savla: > Hello Users, > > I have some admin api's which I want to have restricted access - such that > only if the request originates from localhost - it will execute. > For that I am using tomcat's RemoteAddrfilter what exactly do you mean with admin api's? > > Remote Address Filter > > org.apache.catalina.filters.RemoteAddrFilter > > allow > 127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 > > > > Remote Address Filter > /* > > see http://www.oracle.com/technetwork/java/filters-137243.html „A filter dynamically intercepts requests and responses to transform or use the information contained in the requests or responses.” So this Is something that is part of a web application which is running on tomcat. > Now when I execute the request from localhost - request fails with 403. > Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter > does string comparison of ip. Hence it fails. > Any clue on how to resolve this use case ? > > > > > -bash-4.1$ curl -v http://localhost/ws/local/info > * About to connect() to localhost port 80 (#0) > * Trying 127.0.0.1... connected > * Connected to localhost (127.0.0.1) port 80 (#0) >> GET /ws/local/vip/info HTTP/1.1 >> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 >> OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2 >> Host: localhost >> Accept: */* >> > < HTTP/1.1 403 Forbidden I am guessing here: if you want to restrict access to your tomcat server to certain clients, you could solve this by configuring your firewall accordingly. Ralph - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Where do I store Images in tomcat structure so that I can retrive it properly in all browsers
On 9/17/2012 10:20 PM, Christopher Schultz wrote: If you instead implemented your own "aliases" feature using a servlet, you could do it in a smarter way because you understand your own URL space: you might always know that /images/X will translate directly into /file/place/on/the/disk/X and you don't have to do a prefix match. You could do something like this: // configured once Map dirMapping = ...; String imageURIPrefix = "/images/"; // For each request: String uri = request.getRequestURI(); String imageDirStr = uri.substring(0, uri.indexOf('/')); File dir = dirMapping.get(imageDirStr); Now you know where your file should be, and there wasn't any linear lookup: it was all done using hashes. Ah, I can implement it, if my understanding is correct, what you are suggesting here is that grab the incoming url, check if they are making a request to Images, if yes then point the url to the appropriate directory of images for serving.I can do this if it gives me good performance. I was under impression that Tomcat checks for the alias only once during it start up phase and somehow maintains the list of it in memory and will do automatic match without scanning each alias.My bad. Alias as per my understanding is the one of the places where Tomcat looks for resources to serve for the requests. Probably not: the suggestion was to use, say, ${imagePrefix} in your context's aliases setup to simplify the re-location of your image root on disk. I did not get this probably one of the reasons could be I am still struggling to come to speed.I might need some more days to think as what this means in terms of implementation. There's really only one rule for servlet programming: Don't use class-level data that changes. There are other considerations, of course, but a servlet is not a sacred beast. There's only one way to learn how to do it properly: fall on your face a few times. Yes I understand this somewhat and thats the reason probably I am somewhat hesitating to reuse some of classes and thats increasing size of my code and probably duplicating my code.But again there are some good things, I can extend those classes in future and can bring down those modules if required without impacting any thing or making an changes to existing code.This is only plus point I can see now.Everything now is independent of each other. Finally at least I am enjoying doing something good rather than finding silly bugs and chasing developers for fixing those. I will upgrade to 7.30 shortly if it saves me some memory. Thanks Chris and Konstantin.Appreciate your guidance.
Authenticate requests from localhost using tomcat RemoteAddrFilter
Hello Users, I have some admin api's which I want to have restricted access - such that only if the request originates from localhost - it will execute. For that I am using tomcat's RemoteAddrfilter Remote Address Filter org.apache.catalina.filters.RemoteAddrFilter allow 127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 Remote Address Filter /* Now when I execute the request from localhost - request fails with 403. Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter does string comparison of ip. Hence it fails. Any clue on how to resolve this use case ? -bash-4.1$ curl -v http://localhost/ws/local/info * About to connect() to localhost port 80 (#0) * Trying 127.0.0.1... connected * Connected to localhost (127.0.0.1) port 80 (#0) > GET /ws/local/vip/info HTTP/1.1 > User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7 > OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2 > Host: localhost > Accept: */* > < HTTP/1.1 403 Forbidden Appreciate any help. Thanks
Re: very basic question about apache and tomcat
Mead, Jen L wrote: Yes, I did not find that useful. It is very vague to say the least. If I am missing something please let me know. I want to use Built-in Tomcat support. Simplify your life and have a look at Jespa (www.ioplex.com). It is free for testing, and not expensive for production. Download the Operator's Guide and read it. It works all in Tomcat and doesn't require any other pieces than itself (*) - and a Windows domain environment of course. There are several other ways, but I am not familiar with them. Any type of web-based "Windows Integrated Authentication" (to give it one of it's many names) requires that the browser supports it. I can confirm that it works with IE and with Firefox. I do not know about the others. (*) Sorry, ooops, it does require a jar from Samba (jcifs.jar). The Operator Manual tells you that, and where to get it from. Jen -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, September 20, 2012 9:20 AM To: Tomcat Users List Subject: RE: very basic question about apache and tomcat "Mead, Jen L" wrote: Hi Chris, I met you at a PERL conference years and years ago along with a bunch of other people you met. Anyways. Exactly what I am trying to do is allow folks to use their web browser (I would like to stick with tomcat 7.0.27 on aix 6.1) from their windows workstation and authenticate against the windows domain. I am hoping this can be accomplished without creating unix accounts. The permissions for it, page access or run the tool would reside in the tomcat configuration side, but all authentification would be from the windows side. If you can tell me how to do that I would be pretty happy. I cannot find documentation on how to do it Did you find this? http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html I haven't tested this when Tomcat is on a non-Windows platform. It is certainly possible for this to work although whether any other pieces (such as samba) are required and what their configuration might be I don't know. OTOH, it might just work. I'll add looking at this to my to do list but it is a long list... Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
Patrick Flaherty wrote: Hi Mikolaj, Is this a Windows platform ? :-) If you manage to run tomcat.exe on a platform other than Windows, let us know. It would greatly simplify the Tomcat releases. -Pat On Sep 20, 2012, at 10:16 AM, Mikolaj Rydzewski wrote: On 20.09.2012 15:59, Patrick Flaherty wrote: Have you tried this and gotten it to work ? My check to see if it took has been to open tomcatw.exe and check the values there. No matter what I've tried I cannot get it to take. Yes, it works for me in both ways (either via CLI or GUI). In fact I use ant script to modify service parameters (please forgive broken lines): -- Mikolaj Rydzewski - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat manager login
On Sat, 2012-09-22 at 14:31 +0330, Mohsen Jamali wrote: > Hi guys, > After searching the web about how to deploy a war file on Tomcat. The simplest way is to just copy the war file to webapps/ under your Tomcat base. By default Tomcat will automatically deploy it from there. > i came to > the conclusion that i should change the /etc/tomcat6/tomcat-users.xml file > and add sth like this : > > >1. >2. "standard, manager-gui"/> > Did you restart Tomcat? > but after after adding this two lines ang going to > localhost:8080/manager/html and entering admin as user and pass it doesn't > accept it. That's pretty vague. What DOES it do? > what's wrong me. > thanks signature.asc Description: This is a digitally signed message part