-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Gilbert,
On 4/25/20 08:47, Gilbert Soucy wrote: > Hello, > > I am new to tomcat and I need to filter the URLs to accept all > clients for part of a URL and reject for all clients another part > of this URL. > > In details, I want: > > /abc/def/xyz/* : accepts all /abc/def/* : reject > if URL does not match /abc/def/xyz* > > > I found that the order in which the filters are done is explained > in this link ( > https://stackoverflow.com/questions/17086712/servlet-filters-order-of- execution > > ). > > Based on this, I did the following 2 filters: > > 1) Accept All : this one is the most precise url-pattern and is > listed 1st. When matching, I hope to accept all IP addresses > > 2) Block All : this one is more general and should match the > rest of the URL when the 1st fitler does not match. I hope to > reject all the IP in this case > > Here are the filters, in the order that I add them in web.xml : > > <filter> <filter-name>Accept All</filter-name> > <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-cla ss> > > <init-param> > <param-name>allow</param-name> > <param-value>\d+\.\d+\.\d+\.\d+</param-value> </init-param> > </filter> <filter-mapping> <filter-name>Accept All</filter-name> > <url-pattern>/abc/def/xyz/*</url-pattern> </filter-mapping> > > <filter> <filter-name>Block All</filter-name> > <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-cla ss> > > <init-param> > <param-name>deny</param-name> > <param-value>\d+\.\d+\.\d+\.\d+</param-value> </init-param> > </filter> <filter-mapping> <filter-name>Block All</filter-name> > <url-pattern>/abc/def/*</url-pattern> </filter-mapping> > > > The result is that all URLs ( i.e. /abc/def/* ) are jected and > /abc/def/xyz/* is never accepted. > > Is there a way to do what I am trying to do ? Your approach won't work because the servlet container is required to run all requests through all filters matching the incoming url-pattern. Since the more-general filter will prohibit all access, the behavior of the more-specific filter doesn't really matter: the more-specific filter cannot affect the behavior of the more-general filter in the way you want because it wasn't written that way. Since you aren't actually using the RemoreAddrFilter for its intended purpose (just trying to replicate httpd's "Deny from all" or "Accept from all" semantics), you can do this in a few ways. 1. Write a Filter to check the path The filter would be simple: public SelectiveRemoteAddrFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if(request.getRequestURI().startsWith("/abc/def/xyz/")) { // Accept All chain.doFilter(request, response); } else { ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDD EN); } } } 2. Use servlet-mappings instead of filter-mappings While filter-mappings are cumulative and therefore multiple filters can be run on a request, servlet-mappings result in exactly one servlet being invoked for any particular request. <servlet-mapping> <servlet-name>do-something-servlet</servlet-name> <url-mapping>/abd/def/xyz/*</url-mapping> </servlet-mapping> <servlet-mapping> <servlet-name>return-forbidden-servlet</servlet-name> <url-mapping>/abd/def/*</url-mapping> </servlet-mapping> You'll need to decide what do-something-servlet is and you can fairly easily implement return-forbidden-servlet yourself. 3. Get tricky You could even avoid writing code altogether and do it like this, since filters can be mapped to servlets instead of url-patterns: <servlet> <servlet-name>forbidden</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-name > </servlet> <servlet-mapping> <servlet-name>do-something-servlet</servlet-name> <url-mapping>/abd/def/xyz/*</url-mapping> </servlet-mapping> <servlet-mapping> <servlet-name>forbidden</servlet-name> <url-mapping>/abd/def/*</url-mapping> </servlet-mapping> <filter-mapping> <filter-name>Block All</filter-name> <servlet-name>forbidden</servlet-name> </filter-filter> This allows you to do with with only configuration and not any code other than what you already have for your own application. 4. Use url-rewrite Have a look at this: https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html Or this: https://tuckey.org/urlrewrite/ I believe you could build what you desire with configuration of either of the two tools above. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl6lwMkACgkQHPApP6U8 pFj7dhAAhykAxTmwiOGa61T5OjRg9LZH5bN9z28kWfzlD//nd7bQ6GiEI/OSOX3o SjrNCMvAtTqAjMNhadvqZeAVjorOQ3VWA3hRKVoVSCwY0y894okFypN6vctYZRjU J6/Ufj1m2lm1Abx2ak11M60ctbGkUcqnnMcHfyOTzaW8QVqYK6c6EJxpEkMHiQ6W I9ix3UtzuTn7Lc4EwLwrup9ehJN/vVISnr+b9vV1T0bfHftN6gT7rG7gyZS4V4cB t45Qs+fLgsKOxKsxd357aKHuMiQzHmb5NKvXwHuuBvMCnkblxCfDJDQcRdxaQuFU yBJ0IjwZK4HnBaplSlLKB5gZdlxEqnBV90bsHdt37ugJuu+EhFUYKRdh+9CVl/L9 0TGYcLffurYkiR0cRusq0kHl+qXt7oXapmgzBk5JO9ht/+9qXlhlTb0l50mYfOQr oICVTTUVT9HXLNnHI8+11wv9/RiDZPXe9VIspY5WtLwGC/EzrbXaoK3t7E99Z5Ps UYHvvgWCXK0J+O/KxD8cYemvVfaZQlE7YtcR1uUGsFrLUnCPun6Jv2SEE1jritHB n1lCBTysY7S273zZsi5ByEyRwqbBn4qj6pE+9VQ8sY+Jg34WH6Tpa1mYyPj+Lleq kgqJxZUWZYddIiwlo9H55G17GEmCcqoQoDZLrfnHzHRAHmucj98= =7tgi -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org