Since it looks like there is no easy way to do it, does anyone know of a secure way to check the source IP address or target port of the request? Am I correct in assuming that the getServerPort() and getRemoteAddr() methods are not reliable for security purposes?
----- Original Message ----- From: "Tim Funk" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Friday, September 12, 2003 11:09 AM Subject: Re: Deployment on a specific port > Actually as to different services it could be the same webapp but tomcat > would treat them as two different webapps. > > At this time at night, I'm out of ideas. (Actually, brain ain't working, must > sleep) > > The simple kludge is to keep with the original idea and store the shared data > in a common classloader in some static fashion. (Emphasis ... kludge) > > -Tim > > Martin Jericho wrote: > > > Thanks Tim, but I forgot to mention that both servlet have to be in the same > > webapp! One is my main servlet that handles user web requests, and the > > other is the AxisServlet for handling a SOAP interface into the same > > application. I want to stick the SOAP servlet onto a different port which > > can not be accessed from outside the firewall. > > > > What are the "extra tricks" you mentioned? > > > > ----- Original Message ----- > > From: "Tim Funk" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > Sent: Friday, September 12, 2003 10:51 AM > > Subject: Re: Deployment on a specific port > > > > > > > >>I think you can create 2 services and each service gets is own connector > > > > and > > > >>webapp. > >> > >>This also means that both servlets can't be in the same webapp. (Without > >>extra tricks) > >> > >>-Tim > >> > >>Martin Jericho wrote: > >> > >> > >>>I would like to set up a single standalone instance of tomcat with > > > > connectors on two ports, and deploy one servlet to work only on one port and > > a different servlet to work only on the other port. Is this possible? > > > >>>If not, the only way I can get around it that I can see is to use the > > > > ServletRequest.getServerPort() method to check which port the request came > > in on an reject it if it was on the wrong port. I suspect however that this > > is not secure as the value returned by getServerPort() comes from the > > request header, which can easily be spoofed. Will the > > ServletRequest.getLocalPort() method in the proposed 2.4 spec be more > > secure? > > > >>>How are other people doing this? > >> > >> > >>--------------------------------------------------------------------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
