Re: IP based request filters for admin/manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Johan, On 7/18/2010 11:48 PM, Johan Martinez wrote: Started afresh and got it working finally. I tried with and without escape character and both worked. Probably because . matches '.'. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxEwrcACgkQ9CaO5/Lv0PAi4ACgw79srQYS9kezOpXogU/9TrU9 vcIAn1gIBO8SNyJkmml5mKX/KWDCKWNE =hbFT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP based request filters for admin/manager
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Johan, On 7/18/2010 11:48 PM, Johan Martinez wrote: Started afresh and got it working finally. I tried with and without escape character and both worked. Probably because . matches '.'. Yep. :-) Johan, if you are still there, a bit more explicitly : The regexp /123.123.123.123/ will match th string 123.123.123.123, but also the strings 123#123#123#123 and 123?123X123+123 (and many other similar ones), because in a regexp a non-escaped . matches any single character. On the other hand, the regexp /123\.123\.123\.123/ will only match the string 123.123.123.123, because escaping the . by a backslash means a literal dot. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP based request filters for admin/manager
Thanks for the suggestions Chuck. Below is my reply inline. As you may have guessed out I am a newbie and this is turning out to be really interesting and educational. :) -- jM. On Sun, Jul 18, 2010 at 12:31 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Johan Martinez [mailto:jmart...@gmail.com] Subject: Re: IP based request filters for admin/manager I don't want to replace the default ROOT webapp, in other words, I don't want my specific webapp to be ROOT app. A little odd, but if that's your choice... There are multiple webapps and all are being deployed/accessed using some specific names. Clients are configured with these specific URL patterns. So ROOT webapp is not needed. But I would like to restrict/hide information normally exposed by the default ROOT webapp. All of what Tomcat's default ROOT has, or just some of it? For all of it, just place a Context element in webapps/ROOT/META-INF/context.xml, configuring the valve you already know about. (Do not use path or docBase attributes here - they're not allowed.) If you only want to restrict some of it, but don't want to use authentication, you'll need to write a more sophisticated filter. There's no need to move or rename ROOT, unless you're just trying to obscure things (and security through obscurity is a fool's game). Thanks for pointing out this approach. I removed 'manager' from webapps directory. What version of Tomcat are you using? If you're using 5.5.x (hinted at by your previous message's reference to a doc page), the manager webapp is in server/webapps, not the regular webapps directory. If you're using a newer Tomcat (and you probably should be), manager is under the regular webapps directory. Now I am not able to access http://hostname/manager You never could - that will always get you a 404 (at least until Tomcat 7.0.1 comes out). but http://hostname/manager/html works. That's the valid URL for the manager GUI. Looks like you didn't really get rid of it. Checked $CATALINA_HOME/conf/Catalina/localhost/manager.xml and found Context docBase=${catalina.home}/server/webapps/manager entry. I thought I removed manager app, but not really... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP based request filters for admin/manager
* I put following in the $CATALINA_HOME/webapps/ROOT/META-INF/context.xml , but it's not working. Context Value className=org.apache.catalina.valves.RemoteAddrValue allow=ip.addr. deny=/ /Context Also, this file is not being copied as $CATALINA_HOME/conf/Catalina/localhost/ROOT.xml. * In addition to above file , I modified $CATALINA_HOME/conf/Catalina/localhost/manager.xml and $CATALINA_HOME/conf/Catalina/localhost/host-manager.xml as well, but that's not working either. Am I missing anything? -- jM. On Sun, Jul 18, 2010 at 1:00 AM, Johan Martinez jmart...@gmail.com wrote: Thanks for the suggestions Chuck. Below is my reply inline. As you may have guessed out I am a newbie and this is turning out to be really interesting and educational. :) -- jM. On Sun, Jul 18, 2010 at 12:31 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Johan Martinez [mailto:jmart...@gmail.com] Subject: Re: IP based request filters for admin/manager I don't want to replace the default ROOT webapp, in other words, I don't want my specific webapp to be ROOT app. A little odd, but if that's your choice... There are multiple webapps and all are being deployed/accessed using some specific names. Clients are configured with these specific URL patterns. So ROOT webapp is not needed. But I would like to restrict/hide information normally exposed by the default ROOT webapp. All of what Tomcat's default ROOT has, or just some of it? For all of it, just place a Context element in webapps/ROOT/META-INF/context.xml, configuring the valve you already know about. (Do not use path or docBase attributes here - they're not allowed.) If you only want to restrict some of it, but don't want to use authentication, you'll need to write a more sophisticated filter. There's no need to move or rename ROOT, unless you're just trying to obscure things (and security through obscurity is a fool's game). Thanks for pointing out this approach. I removed 'manager' from webapps directory. What version of Tomcat are you using? If you're using 5.5.x (hinted at by your previous message's reference to a doc page), the manager webapp is in server/webapps, not the regular webapps directory. If you're using a newer Tomcat (and you probably should be), manager is under the regular webapps directory. Now I am not able to access http://hostname/manager You never could - that will always get you a 404 (at least until Tomcat 7.0.1 comes out). but http://hostname/manager/html works. That's the valid URL for the manager GUI. Looks like you didn't really get rid of it. Checked $CATALINA_HOME/conf/Catalina/localhost/manager.xml and found Context docBase=${catalina.home}/server/webapps/manager entry. I thought I removed manager app, but not really... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP based request filters for admin/manager
2010/7/18 Johan Martinez jmart...@gmail.com: I was wondering how to configure Request Filters to allow access to admin, manager, status-report, etc... I followed tomcat doc: http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters and I was able to restrict access by specifying webapp names, e.g.: [[[ Context path=/manager Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127.0.0.1 deny=/ /Context ]]] as said in http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html#Remote%20Address%20Filter the allow and deny attributes are regular expressions. So, '.' has to be escaped as '\.'. (an example in http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters is wrong) I would recommend to omit the deny attribute instead of setting it to an empty string. If there are doubts, the source code for the classes is available. * I put following in the $CATALINA_HOME/webapps/ROOT/META-INF/context.xml , but it's not working. (...) Also, this file is not being copied as $CATALINA_HOME/conf/Catalina/localhost/ROOT.xml. The file in /conf/ takes priority over the one in the webapp's META-INF, because it can be edited by a local administrator. The copying from webapp's META-INF to tomcat's conf/ occurs only when the file in conf/ does not exist, e.g. when a new web application is deployed. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: IP based request filters for admin/manager
I don't have a solution, but just wanted to comment that examples in the doc are correct. See API doc: http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/valves/RequestFilterValve.html#allow The 'allow' field uses String expression and 'allows' uses Java Regex package. I have seen similar problems with Tomcat 5.527/28 and 6.0 on CentOS and Ubuntu, but they were not consistent to reproduce. Packages were downloaded from tomcat site and were not platform specific builds. I was running tomcat on non-standard port (not 8080 port) though. -- Shantanu Pavgi. From: Konstantin Kolinko [knst.koli...@gmail.com] Sent: Sunday, July 18, 2010 11:16 AM To: Tomcat Users List Subject: Re: IP based request filters for admin/manager 2010/7/18 Johan Martinez jmart...@gmail.com: I was wondering how to configure Request Filters to allow access to admin, manager, status-report, etc... I followed tomcat doc: http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters and I was able to restrict access by specifying webapp names, e.g.: [[[ Context path=/manager Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127.0.0.1 deny=/ /Context ]]] as said in http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html#Remote%20Address%20Filter the allow and deny attributes are regular expressions. So, '.' has to be escaped as '\.'. (an example in http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters is wrong) I would recommend to omit the deny attribute instead of setting it to an empty string. If there are doubts, the source code for the classes is available. * I put following in the $CATALINA_HOME/webapps/ROOT/META-INF/context.xml , but it's not working. (...) Also, this file is not being copied as $CATALINA_HOME/conf/Catalina/localhost/ROOT.xml. The file in /conf/ takes priority over the one in the webapp's META-INF, because it can be edited by a local administrator. The copying from webapp's META-INF to tomcat's conf/ occurs only when the file in conf/ does not exist, e.g. when a new web application is deployed. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP based request filters for admin/manager
2010/7/18 Shantanu Pavgi pa...@uab.edu: I don't have a solution, but just wanted to comment that examples in the doc are correct. See API doc: http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/valves/RequestFilterValve.html#allow The 'allow' field uses String expression and 'allows' uses Java Regex package. It is the same value. allows is created from allow, by splitting the value at commas and converting each one into a regex. There is setAllow(..), but there is no setAllows(...) setter method. http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/valves/RequestFilterValve.java?view=markup 143 public void setAllow(String allow) { 145 this.allow = allow; 146 allows = precalculate(allow); 148 } 218 protected Pattern[] precalculate(String list) { (...) 232 String pattern = list.substring(0, comma).trim(); 234 reList.add(Pattern.compile(pattern)); Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP based request filters for admin/manager
Started afresh and got it working finally. I tried with and without escape character and both worked. Thanks, jM. On Sun, Jul 18, 2010 at 1:09 PM, Konstantin Kolinko knst.koli...@gmail.comwrote: 2010/7/18 Shantanu Pavgi pa...@uab.edu: I don't have a solution, but just wanted to comment that examples in the doc are correct. See API doc: http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/valves/RequestFilterValve.html#allow The 'allow' field uses String expression and 'allows' uses Java Regex package. It is the same value. allows is created from allow, by splitting the value at commas and converting each one into a regex. There is setAllow(..), but there is no setAllows(...) setter method. http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/valves/RequestFilterValve.java?view=markup 143 public void setAllow(String allow) { 145 this.allow = allow; 146 allows = precalculate(allow); 148 } 218 protected Pattern[] precalculate(String list) { (...) 232 String pattern = list.substring(0, comma).trim(); 234 reList.add(Pattern.compile(pattern)); Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP based request filters for admin/manager
The first line should have been: I was wondering how to configure Request Filters to s/allow/RESTRICT/ access to admin, manager, status-report, etc.. :) jM. On Sat, Jul 17, 2010 at 11:19 PM, Johan Martinez jmart...@gmail.com wrote: I was wondering how to configure Request Filters to allow access to admin, manager, status-report, etc... I followed tomcat doc: http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters and I was able to restrict access by specifying webapp names, e.g.: [[[ Context path=/manager Valve className=org.apache.catalina.valves.RemoteAddrValve allow=127.0.0.1 deny=/ /Context ]]] How can I deny access to default welcome/index page, changelog, release-notes etc.? I know just restricting access to default welcome/index page does not restrict access to manager or admin links on that page. Still, I would like to restrict access to welcome/index page in addition to admin/manager webapps. I have tried / and /ROOT and it didn't work. Any help or suggestions? Thanks, jM.
RE: IP based request filters for admin/manager
From: Johan Martinez [mailto:jmart...@gmail.com] Subject: IP based request filters for admin/manager How can I deny access to default welcome/index page, changelog, release-notes etc.? If you're deploying Tomcat in any kind of environment that requires securing access to various components, you would normally replace the default webapp (ROOT) with one of your own, thereby eliminating the changelog, release-notes, etc. If you want to restrict access to specific resources within a webapp, use the servlet-spec defined mechanisms to configure security for the webapp. (Some familiarity with the servlet spec is required before fooling around with a servlet container such as Tomcat.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP based request filters for admin/manager
Thanks for the reply Chuck. I don't want to replace the default ROOT webapp, in other words, I don't want my specific webapp to be ROOT app. But I would like to restrict/hide information normally exposed by the default ROOT webapp. I am thinking about renaming ROOT directory to some other-random-name and restrict access to other-random-name using IP filtering. Any suggestions or comments? Also, an unrelated question to IP filtering, but related manager webapp. I removed 'manager' from webapps directory. Now I am not able to access http://hostname/manager , but http://hostname/manager/html works. I am not following how second link is working? Am I missing anything? Thanks, jM. On Sat, Jul 17, 2010 at 11:30 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Johan Martinez [mailto:jmart...@gmail.com] Subject: IP based request filters for admin/manager How can I deny access to default welcome/index page, changelog, release-notes etc.? If you're deploying Tomcat in any kind of environment that requires securing access to various components, you would normally replace the default webapp (ROOT) with one of your own, thereby eliminating the changelog, release-notes, etc. If you want to restrict access to specific resources within a webapp, use the servlet-spec defined mechanisms to configure security for the webapp. (Some familiarity with the servlet spec is required before fooling around with a servlet container such as Tomcat.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: IP based request filters for admin/manager
From: Johan Martinez [mailto:jmart...@gmail.com] Subject: Re: IP based request filters for admin/manager I don't want to replace the default ROOT webapp, in other words, I don't want my specific webapp to be ROOT app. A little odd, but if that's your choice... But I would like to restrict/hide information normally exposed by the default ROOT webapp. All of what Tomcat's default ROOT has, or just some of it? For all of it, just place a Context element in webapps/ROOT/META-INF/context.xml, configuring the valve you already know about. (Do not use path or docBase attributes here - they're not allowed.) If you only want to restrict some of it, but don't want to use authentication, you'll need to write a more sophisticated filter. There's no need to move or rename ROOT, unless you're just trying to obscure things (and security through obscurity is a fool's game). I removed 'manager' from webapps directory. What version of Tomcat are you using? If you're using 5.5.x (hinted at by your previous message's reference to a doc page), the manager webapp is in server/webapps, not the regular webapps directory. If you're using a newer Tomcat (and you probably should be), manager is under the regular webapps directory. Now I am not able to access http://hostname/manager You never could - that will always get you a 404 (at least until Tomcat 7.0.1 comes out). but http://hostname/manager/html works. That's the valid URL for the manager GUI. Looks like you didn't really get rid of it. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org