Ognjen, On 11/19/15 10:14 AM, Ognjen Blagojevic wrote: > My webapp have a set of resources, let's call that set R. Some of those > resources need to be accessed only from certain source IP addresses, > let's call that subset R'. And some subset of R' (let's call it R'') > needs authentication. > > I have a reqirement to check source IP address before authentication. > > Right now, R' is specified in web.xml RemoteAddrFilter <url-pattern>s, > and R'' is specified in web.xml <security-constraint> <url-pattern>s. > > The problem is, filters are executed after container-managed > authentication, so login form is presented to the user before > RemoteAddrFilter kicks in, and check source IP address. That is not what > I need. Users outside trusted IP ranges should not be able to even know > about the protected resources, let alone to guess passwords. > > RemoteAddrValve, on the other hand, is called before container-managed > authentication, but it does not allow specifying <url-pattern>s. > > What would be a good solution for the above requirement? Extend > RemoteAddrValve with the ability to specify <url-pattern>s?
I think that may be the only way to do it. IIRC, someone did some work to allow Filters to be used in the valve chain, but I don't think there is any facility for specifying <url-pattern>s for those. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org