-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leo,
On 11/30/12 5:52 PM, Leo Donahue - RDSA IT wrote: > Ok, so before I upgraded to Tomcat 7.0.33 to use the container > supplied remote address filter, what were my options to restrict > access to just a subdirectory of a web app in Tomcat 6.0.35? <security-constraint> on a <web-resource-collection> with whatever <url-pattern> you want. In web.xml. As Chuck says, restricting by IP address requires that you step outside of the spec-compliant stuff and either write your own Valve (counterproductive IMO), use url-rewrite (our favorite 3rd-party tool), or write your own filter. Please remember that you aren't protecting a directory. Ever. You are protecting a url-pattern and nothing more. While Apache httpd allows you to protect directories such that multiple URLs mapping to that directory are always protected, there is no such analog in the Tomcat world: you will always have to protect based upon URL patterns. > I'll admit, contexts are confusing to me. A context is a thing which has been deployed as a web application. It's got its own web.xml (even if it doesn't actually have one: it will get a default one), ClassLoader, etc. > You can create contexts in conf\Catalina\localhost that map to > places that are not even in the webapps folder, but expose > themselves as a URL to the end user. They don't even have to be backed by the filesystem, really. If Tomcat allowed you to deploy WARs from a database, there really is no filesystem at all. A file in conf/Catalina/localhost can define a context. By default, any .war file or directory in Tomcat's webapps/ directory will be auto-deployed as a context as well. If you want to, you can even put a directory in webapps/ and also create an alias to it using a file in conf/Catalina/localhost, but it's generally not recommended because a) that's not usually what you want to do and b) it's confusing as hell. > My thought was if I could create a context that mapped to a > subdirectory, I could create a valve that restricted access to > that URL. There is no reason for the second context: if you have the Valve, you can restrict it by url-pattern in the one-and-only webapp and not have to artificially create another webapp just for that purpose. > What is the right way to do this in Tomcat 6.0.35? If you need IP-based authorization in Tomcat 6.0.35, I'd go for url-rewrite. Just map /path/to/protect/* to url-rewrite and set up a rule that says "ip != your.special.ip" -> 403.html (or whatever). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC5dcEACgkQ9CaO5/Lv0PCxngCggWcf01I3VYYHBAVfJWtszzxZ smIAn1NBWnFodCHDAVZnpNTyxwJSAbgP =pu3c -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
