Nathan, I am a newbie to Java and Tomcat, and I did spend two days with two Tomcat books I bought and Google trying to find some instructions I could understand before posting a question to this list. Please let me know if there is a list more appropriate for new users.
Thanks, Larry Nobs ----- Original Message ----- From: "Nathan Maves" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Tuesday, May 11, 2004 8:56 AM Subject: Re: Filter on url example - Filter out hack attempts > First of this is not a Tomcat question. This type of information is > always available at http://java.sun.com or http://forum.java.sun.com/ > > To answer your question....Yes. in-fact you can place the class where > ever you want as long as it is in your classpath. Of course you will > also have to change the <filter-class> attribute accordingly. > > Nathan > On May 11, 2004, at 7:42 AM, lrnobs wrote: > > > Yoav, > > > > So from what I know so far my > > /usr/local/tomcat/webapps/myapplication/WEB-INF/web.xml should look > > like the > > following: > > > > <web-app> > > <filter> > > <filter-name>UrlFilter</filter-name> > > <filter-class>UrlFilter</filter-class> *Don't know how this should > > layout.* > > </filter> > > > > <filter-mapping> > > <filter-name>UrlFilter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > <welcome-file-list> > > <welcome-file>index.jsp</welcome-file> > > <welcome-file>index.html</welcome-file> > > </welcome-file-list> > > </web-app> > > > > > > Do I then create > > /usr/local/tomcat/webapps/myapplication/WEB-INF/classes/URLFilter.java? > > > > > > public class UrlFilter implements Filter { > > ... > > public void doFilter(...) { > > if(req instance of HttpServletRequest) { > > HttpServletRequest hreq = (HttpServletRequest) req; > > String uri = hreq.getRequestURI(); > > if(allow(uri)){ > > chain.doFilter(req, res); > > } else { > > ...........Send to Null > > // Do whatever: error page, redirect, etc. > > } > > } else { > > // Non-HTTP requests > > chain.doFilter(req, res); > > } > > } > > > > private boolean allow(String uri) { > > // Look up allowed urls in a DB, Collection, whatever > > > > SubstringTest = False; > > SubstringTest = string.indexOf("GET / HTTP/1.1") > 0; > > if(SubstringTest = True) return True; > > Do the same for the rest > > //GET / HTTP/1.0 //page1.jsp //page2.jsp //page3.jsp > > //page4.jsp //page5.jsp //graphic1.gif //graphic2.gif > > } } > > > > Thanks, > > > > Larry Nobs > > > > > > > > > > > > > > > > > > > >> > >> Hi, > >> This is a trivial filter: > >> public class URLFilter implements Filter { > >> ... > >> public void doFilter(...) { > >> if(req instance of HttpServletRequest) { > >> HttpServletRequest hreq = (HttpServletRequest) req; > >> String uri = hreq.getRequestURI(); > >> if(allow(uri)){ > >> chain.doFilter(req, res); > >> } else { > >> // Do whatever: error page, redirect, etc. > >> } > >> } else { > >> // Non-HTTP requests > >> chain.doFilter(req, res); > >> } > >> } > >> > >> private boolean allow(String uri) { > >> // Look up allowed urls in a DB, Collection, whatever > >> } > >> } > >> > >> I omitted full prototype declarations above due to laziness. It's the > >> javax.servlet.Filter interface. > >> > >> Take a look at the balancer webapp that ships with tomcat 5. The > >> URLStringMatchRule is pretty close to what you want, and can be easily > >> extended with a list of allow patterns and/or deny patterns. Tomcat > >> has > >> something similar as the base Valve for the RemoteAddr/RemoteHost > >> valves. > >> > >> Yoav Shapira > >> Millennium Research Informatics > >> > >> > >>> -----Original Message----- > >>> From: lrnobs [mailto:[EMAIL PROTECTED] > >>> Sent: Saturday, May 08, 2004 9:11 PM > >>> To: Tomcat Users List > >>> Subject: Filter on url example - Filter out hack attempts > >>> > >>> I have had no luck Googling so far for an example on how to filter > >> based on > >>> urls. > >>> > >>> I thought I might put this in the AccessLogValve but will do whatever > >>> works. > >>> > >>> I have a limited number of jsp's and graphics on my site and would > >>> like > >> to > >>> filter out all of the hack attempts that fill up my logs. > >>> > >>> I would like to do something like this (in plain english) > >>> > >>> Accept > >>> GET / HTTP/1.1 > >>> GET / HTTP/1.0 > >>> *page1.jsp* > >>> *page2.jsp* > >>> *page3.jsp* > >>> *page4.jsp* > >>> *page5.jsp* > >>> *graphic1.gif* > >>> *graphic2.gif* > >>> > >>> Drop All Other Requests - they are just hack attempts > >>> > >>> Thanks, > >>> > >>> Larry Nobs > >>> > >>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > >> > >> This e-mail, including any attachments, is a confidential business > > communication, and may contain information that is confidential, > > proprietary > > and/or privileged. This e-mail is intended only for the individual(s) > > to > > whom it is addressed, and may not be saved, copied, printed, disclosed > > or > > used by anyone else. If you are not the(an) intended recipient, please > > immediately delete this e-mail from your computer system and notify the > > sender. Thank you. > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > >> > >> > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
