On Mon, Mar 2, 2009 at 11:25 AM, Zak Mc Kracken <zakmc...@yahoo.it> wrote: > Gregor Schneider wrote: >> >> you've been asking the valve-stuff because you want to limit the >> access to requests coming from localhost only? > > Yep! > >> why then not make tomcat listen on localhost only? configuration for >> that's a walk in the park... >> > > My Tomcat is serving a number of webapps, I want to restrict access to one > only (the others are proper end-user-dedicated applications). Furthermore, > it's more modular if I can set up such restriction rules into the app's WAR, > rather than at Tomcat configuration level. So, it should be as previously > explained, or am I missing something? >
That wasn't clear to me. Have you ever thought about fronting Tomcat with Apache HTTPD, then connecting it via mod_jk? Thus, Tomcat would listen on localhost only, and Apache HTTPD takes care about forwarding appropriate requests to Tomcat on localhost. Besides, you could use Apache's mod_authz (http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html) to specify the authorized ips / hosts. Might be a little bit more work beforehand, but that would be my preferred solution. Rgds Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org