Hello, I am using Apache Tomcat 9.0.45, running on CentOS 7 server. On this server I have a couple of applications (apis mostly) that need to have the access restricted to 2 specific servers. SERVER A <------> api call <------>TOMCAT SERVER - OK 200 SERVER B <------> api call <------> TOMCAT SERVER - OK 200
If the request is not made by server A or B, tomcat should return a 403 or 404. The manager page should be available to any machine on our internal network (the sysadmin would have access to the login credentials). At the moment, I could only manage to: 1 - restrict the access globally (not just the apis but also the manager page); 2 - restrict the access to the manager page (credentials required). 3 - restrict the access to the apis only, but with login credentials required (this is not what I need as the api call will be made by servers, not users) For option 1 and 2, I have changed the server.xml ({$CATALINA_HOME}/conf), and added the below: <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/> Please note that I have amended the ips accordingly. This was done in addition to existing configuration on {$CATALINA_HOME}/ /webapps/manager/META-INF/context.xml with the following: <Context antiResourceLocking="false" privileged="true" > <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" sameSiteCookies="strict" /> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 |.*" /> <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/> </Context> I understand I can make use of the 'Context Fragment' can be added to individual applications, however this is not ideal for us because: 1 - Instead of me (one of the sysadmin) to manage access, this responsibility would be handed over to the api developer to add to his/her code to be deployed to; 2 - This would also require to save credentials at code level I am exploring now the options on 'Security-Constraint' on IP restrictions, but could not work it out quite yet. There is also another option that is firewall rules. However, it does not seem to help as the servers involved are in our internal network and the restrictions seem to be applied to servers, not different paths. I hope I have provided clear details of the issue I am trying to solve. Thank you very much in advance for any idea/suggestion. Kind Regards, CidinhaDev