CidinhaDev,
On 5/10/21 09:46, Mar Sil wrote:
Hello,
I am using Apache Tomcat 9.0.45, running on CentOS 7 server.
On this server I have a couple of applications (apis mostly) that need to
have the access restricted to 2 specific servers.
SERVER A <------> api call <------>TOMCAT SERVER - OK 200
SERVER B <------> api call <------> TOMCAT SERVER - OK 200
If the request is not made by server A or B, tomcat should return a 403 or
404.
The manager page should be available to any machine on our internal network
(the sysadmin would have access to the login credentials).
At the moment, I could only manage to:
1 - restrict the access globally (not just the apis but also the manager
page);
2 - restrict the access to the manager page (credentials required).
3 - restrict the access to the apis only, but with login credentials
required (this is not what I need as the api call will be made by servers,
not users)
For option 1 and 2, I have changed the server.xml ({$CATALINA_HOME}/conf),
and added the below:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
Please note that I have amended the ips accordingly.
This was done in addition to existing configuration on {$CATALINA_HOME}/
/webapps/manager/META-INF/context.xml with the following:
<Context antiResourceLocking="false" privileged="true" >
<CookieProcessor
className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 |.*" />
<Manager
sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
I understand I can make use of the 'Context Fragment' can be added to
individual applications, however this is not ideal for us because:
1 - Instead of me (one of the sysadmin) to manage access, this
responsibility would be handed over to the api developer to add to his/her
code to be deployed to;
2 - This would also require to save credentials at code level
I am exploring now the options on 'Security-Constraint' on IP restrictions,
but could not work it out quite yet.
There is also another option that is firewall rules. However, it does not
seem to help as the servers involved are in our internal network and the
restrictions seem to be applied to servers, not different paths.
I hope I have provided clear details of the issue I am trying to solve.
Thank you very much in advance for any idea/suggestion.
It sounds like the tools available aren't able to meet your needs. In short:
1. IP/port-based firewalls can't distinguish between "paths" of a URL
2. RemoteAddrValve can be applied at <Host> or <Context> level, but you
do not want to configure these in server.xml and/or an application's
META-INF/context.xml file
I want to double-check on #2 above: you said you wanted the developer of
the APIs to determine who can call them. If that developer bundles a
META-INF/context.xml file with the RemoteAddrValve configured in it,
would that meet your needs?
I think it can you get either of the above tools to work for you, your
only choice will be to implement your authentication rules in the
application itself, or to use a Web Application Firewall (WAF) which can
be configured in lots of different ways to e.g. require authentication
for certain situations but not others. It's vitally important that all
traffic goes through the WAF, which may change your network deployment
plans.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
