Re: $CATALINA_HOME/conf/context.xml .. restrict a context?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ravi, On 3/3/14, 5:53 PM, Ravi Gupta wrote: Any idea if the same would work for JBOSS 5.X (uses tomcat under the hood)? perhaps it is not the same, but I tried putting admin-console.xml under jboss-5.1.0.GA/server/default/deploy/jbossweb.sar it contains Context path=/admin-console Valve className=org.apache.catalina.valves.RemoteAddrValve deny=* / /Context But I was still able to access http://localhost:8080/admin-console after a bounce? Any suggestions would be apreciated Take a look at the documentation for RemoteAddrValve, particularly the deny attribute. You have configured this incorrectly. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTFhy0AAoJEBzwKT+lPKRYAvYP/jfH/uFLLSthgf6O+rGh6/Dy nCYOOmsxG2O8Pc7g26mm75Zz7n1zctq7Bsbz/UNM0nwBbAI3kVwCAJIlQqHb5CxY qdaZu/B2YqB6xzMAYbdtrQ8io0i3uVPBqKM2K8pvccFhxdWlvfQtbTWIDtlbofaP Y9cRKWqQFge6BQKQDjeHFgA01htZcwD6+Tm6ckjjQfDGxFXoWIbKEWNxwROhu0zn 6gD97iO9DNAmDbTfrMDX4QfT9jvu2RgtZ+MilUHHEXpKAnVagMmznvbG0pt3CzoL 1g6oGLZJMtiJkNMDQEfU9gtxR/avYBiNCc+UcNz7n+Lb08CzeWrNT5rn/baPV+84 HHXNvw/qCihy0VSKVwnBQ/iewTKysRW5rmO4b8tGR1vvx46kignONMnP74ySL/xC wjTFIOMcoHTdrLVj3QwifxZqHtxsYF2MGbXjhLfFaqsgKiCneP5oT9BfvoDPUCel AX4+J/8V3bFZhpdG/5yzQgMkzQOfqCYbkpdfoJIn3PPXJoyAamCe2PeIQ9bgKrnb SDUgQQoEIuIqYqxLTF+cfT25FDrRrJmwc/z9z8+FLnPp+ld7t5jNdN38L4CW98TO vuIdXRPT0fEq2WW/XQLG1xDtO4RUJfZUVHCy4N2EGxrC+jiLVH5YKRDD6it+4sOW T6Bhqe9hES30N5SQ1HSo =v1We -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
$CATALINA_HOME/conf/context.xml .. restrict a context?
Tomcat 6.X RHEL I tried adding the below in order to limit access to /admin-console It worked, but it limits access to EVERY context, which is odd. I am sure I am doing something wrong or I misunderstand how this works I want to put restrictions on the /admin-console context, but I do not want it inside the admin-console.war Again, this works, but other contexts are denied as well! Context path=/admin-console Valve className=org.apache.catalina.valves.RemoteAddrValve deny=* / /Context
Re: $CATALINA_HOME/conf/context.xml .. restrict a context?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ravi, On 3/3/14, 5:10 PM, Ravi Gupta wrote: Tomcat 6.X RHEL I tried adding the below in order to limit access to /admin-console It worked, but it limits access to EVERY context, which is odd. I am sure I am doing something wrong or I misunderstand how this works I want to put restrictions on the /admin-console context, but I do not want it inside the admin-console.war Again, this works, but other contexts are denied as well! Context path=/admin-console Valve className=org.apache.catalina.valves.RemoteAddrValve deny=* / /Context I'm guessing the file you edited was CATALINA_BASE/conf/context.xml? That's not the right file to edit. Undo all the changes you made to conf/context.xml. Instead, you want to edit the META-INF/context.xml file in your own webapp (or CATALINA_BASE/conf/[engine]/[host]/admin-console.xml if you have manually-deployed your application using an XML descriptor). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTFQCoAAoJEBzwKT+lPKRYGXQQAKgWOzPpKvC9YvuSJWdDY5Ud 325eSaK73rns77SWz2nUFt3je5GTEFmQAuCyBHueeaGgaFsY9GrkE9/YtsuWxB52 gO22zYywmTtfSY4MNt5z4dolbWfkktcFkLA96FQxa4ZI7ZdvmyL4XRRPJSSKRck3 qushWLC5IhbTknnbbOFm3OAv/xY60dzorB8ashIDjMO1Rm+6xOWf2x3PeTAeuy8K h5rKVi1u2KkMnbMtvJABX2WGdYZA+r/LNozotXHDGApvEVFu4+YtRWpZx2kgeVVG 0pbgLlfmT3cltDGkfOLq7xk11/VJNVR/A276naolfA+lWlqg0ccTVy7T/HrYaVZ8 dHXh09GFAgxneC+JCdMzDGFaI1LEhMaDv9OhyEYCOjoz60c1lYg2idfFXffSTiFj QRgfesyer8jYWD0pyEQ939EOXKLnR2ClbwqkHvXZNKDf8NtitBeF45hUmxixuDhb GBu+tuBVEHWXJpmCkmh/Xd9iwGPU3w2geGnZXPUpDaERdKlKL/zbzLBpxvP9TpOs 0IMc3ZkZ39jnrMVfDbbloNRKMdbxSSlb/OMyDocZheSLw6QlECALfLZumQZCk759 z5BDS8zvINbpdUrUxLG7ZYTW+6ZXpR7N9nVF+ab2BnTC58J5aUb623FtSOuk1J2/ hMPVhRwdGyHLNccn82t4 =YZJb -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: $CATALINA_HOME/conf/context.xml .. restrict a context?
Thanks, the issue is that my customer does not want to restrict the admin-console in it's war - the rational is anybody can then just redeploy a new admin-console.war and access it (overwrite the restrictions). They want to restrict access to this context from OUTSIDE the actual deployment. Make sense? On Mon, Mar 3, 2014 at 4:22 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ravi, On 3/3/14, 5:10 PM, Ravi Gupta wrote: Tomcat 6.X RHEL I tried adding the below in order to limit access to /admin-console It worked, but it limits access to EVERY context, which is odd. I am sure I am doing something wrong or I misunderstand how this works I want to put restrictions on the /admin-console context, but I do not want it inside the admin-console.war Again, this works, but other contexts are denied as well! Context path=/admin-console Valve className=org.apache.catalina.valves.RemoteAddrValve deny=* / /Context I'm guessing the file you edited was CATALINA_BASE/conf/context.xml? That's not the right file to edit. Undo all the changes you made to conf/context.xml. Instead, you want to edit the META-INF/context.xml file in your own webapp (or CATALINA_BASE/conf/[engine]/[host]/admin-console.xml if you have manually-deployed your application using an XML descriptor). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTFQCoAAoJEBzwKT+lPKRYGXQQAKgWOzPpKvC9YvuSJWdDY5Ud 325eSaK73rns77SWz2nUFt3je5GTEFmQAuCyBHueeaGgaFsY9GrkE9/YtsuWxB52 gO22zYywmTtfSY4MNt5z4dolbWfkktcFkLA96FQxa4ZI7ZdvmyL4XRRPJSSKRck3 qushWLC5IhbTknnbbOFm3OAv/xY60dzorB8ashIDjMO1Rm+6xOWf2x3PeTAeuy8K h5rKVi1u2KkMnbMtvJABX2WGdYZA+r/LNozotXHDGApvEVFu4+YtRWpZx2kgeVVG 0pbgLlfmT3cltDGkfOLq7xk11/VJNVR/A276naolfA+lWlqg0ccTVy7T/HrYaVZ8 dHXh09GFAgxneC+JCdMzDGFaI1LEhMaDv9OhyEYCOjoz60c1lYg2idfFXffSTiFj QRgfesyer8jYWD0pyEQ939EOXKLnR2ClbwqkHvXZNKDf8NtitBeF45hUmxixuDhb GBu+tuBVEHWXJpmCkmh/Xd9iwGPU3w2geGnZXPUpDaERdKlKL/zbzLBpxvP9TpOs 0IMc3ZkZ39jnrMVfDbbloNRKMdbxSSlb/OMyDocZheSLw6QlECALfLZumQZCk759 z5BDS8zvINbpdUrUxLG7ZYTW+6ZXpR7N9nVF+ab2BnTC58J5aUb623FtSOuk1J2/ hMPVhRwdGyHLNccn82t4 =YZJb -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: $CATALINA_HOME/conf/context.xml .. restrict a context?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ravi, (Moving the discussion back onto the list: please reply to the list and not to individuals. That's what community is about.) On 3/3/14, 5:29 PM, Ravi Gupta wrote: Thanks, the issue is that my customer does not want to restrict the admin-console in it's war - the rational is anybody can then just redeploy a new admin-console.war and access it (overwrite the restrictions). They want to restrict access to this context from OUTSIDE the actual deployment. Make sense? It makes perfect sense. To deploy your web application in a safe way, you need to do the following: 0. Start with a stopped Tomcat. 1. Put the WAR wherever you want it to live. CATALINA_BASE/webapps is fine. 2. Extract META-INF/context.xml from your WAR file and place it in CATALINA_BASE/conf/[engine]/[host]/[appname].xml 3. Modify [appname].xml to add whatever restrictions you want. 4. Start Tomcat. If you overwrite the WAR file, the restrictions you have set should be maintained. Note that if you /undeploy/ the webapp and then redeploy it, any customizations will be lost and will have to be re-applied. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTFQPbAAoJEBzwKT+lPKRYRmoQALE8fXXv+UVHkMCwzBHHfyvI FVfO8pxCEk8oxvrMunLjC/E2+O8KVCCSDYEjWYYuQs0L1cKjEWyuF6w0P8QDo6fB lE1pxuShreC1SMMZBEGf9GX0QORPgAB1C4tFnKEYP7/O/0l0KORGh81/AolhroG+ 8UvlNbFeb0LUR/ABHjdc2PN1UVL3FjruFMhkJSu0ZGqK8TpO7D74VWG2B5JD6zy6 ecFKQVSKf7wCLYJ5vXLpyLFJ/H5DKb6c5BBa7L0Edw+bEM8/YM9f7eoXl77TyBup Lhx19LOzrfFqcDNPXpqiSKy8VCEJH0TNd1iegJwWH4uTK/BYOu38pALspQ6piGjJ re8/goyGahK4Ii7A7B6463I/WqzuSwYxzoNYOMFd0db3gp5gzCq8u6MUgx1jTupA iG4f9SvGC4pvytTKujS/c36uHVipn3YbgTZzbsyhUug7VvTn5uSZUN1e68v+y9LA JV0sLGlzay6STujPamVInO6ICOEiqnY5TuoRoedmlYSLC0dkT5Nvpw9G4trL0WMc WZLVlKKgd3eQU4hUBNqeVfnlmwRuE2LFwHdAC1TpyWVsHkNaTtcCMq/YMkl+xAD0 4uka25gHs3g+j7KmGvvo4gjnPY1ODfTJbYrAdlhSZoMkuesyAW8gaYqG4NR6FoWm /tcZDv4FLrEtv5zXrz9l =L2bz -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: $CATALINA_HOME/conf/context.xml .. restrict a context?
Any idea if the same would work for JBOSS 5.X (uses tomcat under the hood)? perhaps it is not the same, but I tried putting admin-console.xml under jboss-5.1.0.GA/server/default/deploy/jbossweb.sar it contains Context path=/admin-console Valve className=org.apache.catalina.valves.RemoteAddrValve deny=* / /Context But I was still able to access http://localhost:8080/admin-console after a bounce? Any suggestions would be apreciated On Mon, Mar 3, 2014 at 4:36 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ravi, (Moving the discussion back onto the list: please reply to the list and not to individuals. That's what community is about.) On 3/3/14, 5:29 PM, Ravi Gupta wrote: Thanks, the issue is that my customer does not want to restrict the admin-console in it's war - the rational is anybody can then just redeploy a new admin-console.war and access it (overwrite the restrictions). They want to restrict access to this context from OUTSIDE the actual deployment. Make sense? It makes perfect sense. To deploy your web application in a safe way, you need to do the following: 0. Start with a stopped Tomcat. 1. Put the WAR wherever you want it to live. CATALINA_BASE/webapps is fine. 2. Extract META-INF/context.xml from your WAR file and place it in CATALINA_BASE/conf/[engine]/[host]/[appname].xml 3. Modify [appname].xml to add whatever restrictions you want. 4. Start Tomcat. If you overwrite the WAR file, the restrictions you have set should be maintained. Note that if you /undeploy/ the webapp and then redeploy it, any customizations will be lost and will have to be re-applied. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTFQPbAAoJEBzwKT+lPKRYRmoQALE8fXXv+UVHkMCwzBHHfyvI FVfO8pxCEk8oxvrMunLjC/E2+O8KVCCSDYEjWYYuQs0L1cKjEWyuF6w0P8QDo6fB lE1pxuShreC1SMMZBEGf9GX0QORPgAB1C4tFnKEYP7/O/0l0KORGh81/AolhroG+ 8UvlNbFeb0LUR/ABHjdc2PN1UVL3FjruFMhkJSu0ZGqK8TpO7D74VWG2B5JD6zy6 ecFKQVSKf7wCLYJ5vXLpyLFJ/H5DKb6c5BBa7L0Edw+bEM8/YM9f7eoXl77TyBup Lhx19LOzrfFqcDNPXpqiSKy8VCEJH0TNd1iegJwWH4uTK/BYOu38pALspQ6piGjJ re8/goyGahK4Ii7A7B6463I/WqzuSwYxzoNYOMFd0db3gp5gzCq8u6MUgx1jTupA iG4f9SvGC4pvytTKujS/c36uHVipn3YbgTZzbsyhUug7VvTn5uSZUN1e68v+y9LA JV0sLGlzay6STujPamVInO6ICOEiqnY5TuoRoedmlYSLC0dkT5Nvpw9G4trL0WMc WZLVlKKgd3eQU4hUBNqeVfnlmwRuE2LFwHdAC1TpyWVsHkNaTtcCMq/YMkl+xAD0 4uka25gHs3g+j7KmGvvo4gjnPY1ODfTJbYrAdlhSZoMkuesyAW8gaYqG4NR6FoWm /tcZDv4FLrEtv5zXrz9l =L2bz -END PGP SIGNATURE-
Re: $CATALINA_HOME/conf/context.xml .. restrict a context?
According to this, it should match up https://community.jboss.org/wiki/Web-AppContextConfiguration On Mon, Mar 3, 2014 at 4:53 PM, Ravi Gupta rkgupt...@gmail.com wrote: Any idea if the same would work for JBOSS 5.X (uses tomcat under the hood)? perhaps it is not the same, but I tried putting admin-console.xml under jboss-5.1.0.GA/server/default/deploy/jbossweb.sar it contains Context path=/admin-console Valve className=org.apache.catalina.valves.RemoteAddrValve deny=* / /Context But I was still able to access http://localhost:8080/admin-console after a bounce? Any suggestions would be apreciated On Mon, Mar 3, 2014 at 4:36 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ravi, (Moving the discussion back onto the list: please reply to the list and not to individuals. That's what community is about.) On 3/3/14, 5:29 PM, Ravi Gupta wrote: Thanks, the issue is that my customer does not want to restrict the admin-console in it's war - the rational is anybody can then just redeploy a new admin-console.war and access it (overwrite the restrictions). They want to restrict access to this context from OUTSIDE the actual deployment. Make sense? It makes perfect sense. To deploy your web application in a safe way, you need to do the following: 0. Start with a stopped Tomcat. 1. Put the WAR wherever you want it to live. CATALINA_BASE/webapps is fine. 2. Extract META-INF/context.xml from your WAR file and place it in CATALINA_BASE/conf/[engine]/[host]/[appname].xml 3. Modify [appname].xml to add whatever restrictions you want. 4. Start Tomcat. If you overwrite the WAR file, the restrictions you have set should be maintained. Note that if you /undeploy/ the webapp and then redeploy it, any customizations will be lost and will have to be re-applied. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTFQPbAAoJEBzwKT+lPKRYRmoQALE8fXXv+UVHkMCwzBHHfyvI FVfO8pxCEk8oxvrMunLjC/E2+O8KVCCSDYEjWYYuQs0L1cKjEWyuF6w0P8QDo6fB lE1pxuShreC1SMMZBEGf9GX0QORPgAB1C4tFnKEYP7/O/0l0KORGh81/AolhroG+ 8UvlNbFeb0LUR/ABHjdc2PN1UVL3FjruFMhkJSu0ZGqK8TpO7D74VWG2B5JD6zy6 ecFKQVSKf7wCLYJ5vXLpyLFJ/H5DKb6c5BBa7L0Edw+bEM8/YM9f7eoXl77TyBup Lhx19LOzrfFqcDNPXpqiSKy8VCEJH0TNd1iegJwWH4uTK/BYOu38pALspQ6piGjJ re8/goyGahK4Ii7A7B6463I/WqzuSwYxzoNYOMFd0db3gp5gzCq8u6MUgx1jTupA iG4f9SvGC4pvytTKujS/c36uHVipn3YbgTZzbsyhUug7VvTn5uSZUN1e68v+y9LA JV0sLGlzay6STujPamVInO6ICOEiqnY5TuoRoedmlYSLC0dkT5Nvpw9G4trL0WMc WZLVlKKgd3eQU4hUBNqeVfnlmwRuE2LFwHdAC1TpyWVsHkNaTtcCMq/YMkl+xAD0 4uka25gHs3g+j7KmGvvo4gjnPY1ODfTJbYrAdlhSZoMkuesyAW8gaYqG4NR6FoWm /tcZDv4FLrEtv5zXrz9l =L2bz -END PGP SIGNATURE-