Jaikit
You can ask Catalina to check the IP address, or host name, on every incoming
request directed to the surrounding elements
<a href="engine.html">Engine</a>,
<a href="host.html">Host</a>, or
<a href="context.html">Context</a> element.
The remote address or name will be checked against a configured list of "allow"
and/or "deny" filters, which are defined using the Regular Expression syntax
supported by the
<a href="http://jakarta.apache.org/regexp/";>Jakarta Regexp</a> regular
expression library.
Requests that come from locations that are not accepted will be rejected with
an HTTP "Forbidden" error.
Example filter declarations:.
e.g
<Host name="localhost" ...>
...
<Valve className="org.apache.catalina.valves.RemoteHostValve"
allow="*.mycompany.com,www.yourcompany.com"/>
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
deny="192.168.1.*"/>
...
</Host>
HTH,
Martin
> Date: Sat, 22 Sep 2012 23:36:33 -0700
> From: [email protected]
> Subject: Re: Authenticate requests from localhost using tomcat
> RemoteAddrFilter
> To: [email protected]
>
> I have not yet tried playing with firewall.
> I was thinking in the lines of adding capability in filter to find if the
> request originated from localhost. Right now it just does string comparison.
>
> Jaikit
>
>
> ----- Original Message -----
> From: Ralph Plawetzki <[email protected]>
> To: Tomcat Users List <[email protected]>
> Cc:
> Sent: Saturday, September 22, 2012 10:41 PM
> Subject: Re: Authenticate requests from localhost using tomcat
> RemoteAddrFilter
>
> Jaikit,
>
> Am 23.09.2012 00:04, schrieb Jaikit Savla:
> > Hello Users,
> >
> > I have some admin api's which I want to have restricted access - such that
> > only if the request originates from localhost - it will execute.
> > For that I am using tomcat's RemoteAddrfilter
> what exactly do you mean with admin api's?
>
> > <filter>
> > <filter-name>Remote Address Filter</filter-name>
> >
> > <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
> > <init-param>
> > <param-name>allow</param-name>
> > <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
> > </init-param>
> > </filter>
> > <filter-mapping>
> > <filter-name>Remote Address Filter</filter-name>
> > <url-pattern>/*</url-pattern>
> > </filter-mapping>
> > </filter>
> see http://www.oracle.com/technetwork/java/filters-137243.html
> „A filter dynamically intercepts requests and responses to transform or
> use the information contained in the requests or responses.” So this Is
> something that is part of a web application which is running on tomcat.
>
> > Now when I execute the request from localhost - request fails with 403.
> > Reason being "REMOTE_ADDR" is set with actual ip of the machine and filter
> > does string comparison of ip. Hence it fails.
> > Any clue on how to resolve this use case ?
> >
> >
> >
> >
> > -bash-4.1$ curl -v http://localhost/ws/local/info
> > * About to connect() to localhost port 80 (#0)
> > * Trying 127.0.0.1... connected
> > * Connected to localhost (127.0.0.1) port 80 (#0)
> >> GET /ws/local/vip/info HTTP/1.1
> >> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7
> >> OpenSSL/0.9.8o zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> >> Host: localhost
> >> Accept: */*
> >>
> > < HTTP/1.1 403 Forbidden
>
> I am guessing here: if you want to restrict access to your tomcat server
> to certain clients, you could solve this by configuring your firewall
> accordingly.
>
> Ralph
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
