Hello Mark,
Thanks for your email.
I have tried the option mentioned and the restriction to the application
worked.
However, when I tried to redeploy the war file, the 'foo.xml' was removed.
So, this leads me to the conclusion a foo.xml file will need to be added
every time there is a new deployment.
According to the tomcat
doc, $CATALINA_BASE/<engine-name>/<host-name>/foo.xml should not be
affected by future deployments.
Am I missing something?
Thanks
On Mon, 10 May 2021 at 18:07, Mark Thomas <ma...@apache.org> wrote:
> On 10/05/2021 17:32, Christopher Schultz wrote:
> > CidinhaDev,
> >
> > On 5/10/21 09:46, Mar Sil wrote:
> >> Hello,
> >>
> >> I am using Apache Tomcat 9.0.45, running on CentOS 7 server.
> >> On this server I have a couple of applications (apis mostly) that need
> to
> >> have the access restricted to 2 specific servers.
> >> SERVER A <------> api call <------>TOMCAT SERVER - OK 200
> >> SERVER B <------> api call <------> TOMCAT SERVER - OK 200
> >>
> >> If the request is not made by server A or B, tomcat should return a
> >> 403 or
> >> 404.
> >> The manager page should be available to any machine on our internal
> >> network
> >> (the sysadmin would have access to the login credentials).
> >>
> >> At the moment, I could only manage to:
> >> 1 - restrict the access globally (not just the apis but also the manager
> >> page);
> >> 2 - restrict the access to the manager page (credentials required).
> >> 3 - restrict the access to the apis only, but with login credentials
> >> required (this is not what I need as the api call will be made by
> >> servers,
> >> not users)
> >>
> >> For option 1 and 2, I have changed the server.xml
> >> ({$CATALINA_HOME}/conf),
> >> and added the below:
> >> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> >> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
> >> Please note that I have amended the ips accordingly.
> >> This was done in addition to existing configuration on
> {$CATALINA_HOME}/
> >> /webapps/manager/META-INF/context.xml with the following:
> >> <Context antiResourceLocking="false" privileged="true" >
> >> <CookieProcessor
> >> className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
> >> sameSiteCookies="strict" />
> >> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> >> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 |.*" />
> >> <Manager
> >>
> sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
>
> >>
> >> </Context>
> >>
> >> I understand I can make use of the 'Context Fragment' can be added to
> >> individual applications, however this is not ideal for us because:
> >> 1 - Instead of me (one of the sysadmin) to manage access, this
> >> responsibility would be handed over to the api developer to add to
> >> his/her
> >> code to be deployed to;
> >> 2 - This would also require to save credentials at code level
> >>
> >> I am exploring now the options on 'Security-Constraint' on IP
> >> restrictions,
> >> but could not work it out quite yet.
> >> There is also another option that is firewall rules. However, it does
> not
> >> seem to help as the servers involved are in our internal network and the
> >> restrictions seem to be applied to servers, not different paths.
> >>
> >> I hope I have provided clear details of the issue I am trying to solve.
> >> Thank you very much in advance for any idea/suggestion.
> >
> > It sounds like the tools available aren't able to meet your needs. In
> > short:
> >
> > 1. IP/port-based firewalls can't distinguish between "paths" of a URL
> > 2. RemoteAddrValve can be applied at <Host> or <Context> level, but you
> > do not want to configure these in server.xml and/or an application's
> > META-INF/context.xml file
> >
> > I want to double-check on #2 above: you said you wanted the developer of
> > the APIs to determine who can call them. If that developer bundles a
> > META-INF/context.xml file with the RemoteAddrValve configured in it,
> > would that meet your needs?
>
> There is another option. Extract the context.xml from the foo.WAR file,
> add the RemoteAddrValve and then place the context.xml file in
> $CATALINA_BASE/<engine-name>/<host-name>/foo.xml
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
