Am 21.01.2015 um 04:24 schrieb Leo Donahue:
On Tue, Jan 20, 2015 at 5:09 PM, Mark Thomas <ma...@apache.org> wrote:
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.17.
- The RemoteAddrValve and RemoteHostValve can now optionally include
the port when filtering along with a new option to trigger
authentication rather than denying access
There are no links on the changelog page for these and I was hoping to see
some details about why this option was added.
"Optionally trigger authentication instead of denial in RemoteAddrValve and
RemoteHostValve"
http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_Address_Filter
"The behavior when a request is refused can be changed to not deny but
instead set an invalid authentication header"
Example #3
"To allow unrestricted access to port 8009, but trigger basic
authentication if the application is accessed on another port:"
I'm trying to understand this kind of setup.
If an IP has been allowed to pass through via a Filter to a restricted
resource, wouldn't the user get the container configured authentication
dialog anyway?
The original use case was:
- the app does not have authentication configured
- the app is officially only available via an AJP connector
- for admin/testing purposes the app should be made available via an
additional http connector but only for authorized people. Normal people
must go via reverse proxy / AJP.
You can use the above for this kind of setup without "editing" the app
itself
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org