So you should be safe if you can trust your network to say the 198.168.0.25 is that computer and not a spoof.
-Tim
Martin Jericho wrote:
Since it looks like there is no easy way to do it, does anyone know of a secure way to check the source IP address or target port of the request? Am I correct in assuming that the getServerPort() and getRemoteAddr() methods are not reliable for security purposes?
----- Original Message ----- From: "Tim Funk" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Friday, September 12, 2003 11:09 AM
Subject: Re: Deployment on a specific port
Actually as to different services it could be the same webapp but tomcat would treat them as two different webapps.
At this time at night, I'm out of ideas. (Actually, brain ain't working,
must
sleep)
The simple kludge is to keep with the original idea and store the shared
data
in a common classloader in some static fashion. (Emphasis ... kludge)
-Tim
Martin Jericho wrote:
Thanks Tim, but I forgot to mention that both servlet have to be in the
same
webapp! One is my main servlet that handles user web requests, and the other is the AxisServlet for handling a SOAP interface into the same application. I want to stick the SOAP servlet onto a different port
which
can not be accessed from outside the firewall.
What are the "extra tricks" you mentioned?
----- Original Message ----- From: "Tim Funk" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Friday, September 12, 2003 10:51 AM
Subject: Re: Deployment on a specific port
I think you can create 2 services and each service gets is own connector
and
webapp.
This also means that both servlets can't be in the same webapp. (Without extra tricks)
-Tim
Martin Jericho wrote:
I would like to set up a single standalone instance of tomcat with
connectors on two ports, and deploy one servlet to work only on one port
and
a different servlet to work only on the other port. Is this possible?
If not, the only way I can get around it that I can see is to use the
ServletRequest.getServerPort() method to check which port the request
came
in on an reject it if it was on the wrong port. I suspect however that
this
is not secure as the value returned by getServerPort() comes from the request header, which can easily be spoofed. Will the ServletRequest.getLocalPort() method in the proposed 2.4 spec be more secure?
How are other people doing this?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
