Re: RemoteAddrFilter (org.apache.catalina.filters)

Mon, 21 Mar 2022 13:06:51 -0700 

Tim,

On 3/21/22 13:51, Scott,Tim wrote:

Hi all,

I’ve been trying to get this to work for a bit without any luck.

What I’ve arrived at, in my main Tomcat web.xml, is:
<web-app xmlns=http://xmlns.jcp.org/xml/ns/javaee <http://xmlns.jcp.org/xml/ns/javaee>
  xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance <http://www.w3.org/2001/XMLSchema-instance> 

   xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd <http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd>" 

version="4.0">

     <filter>

       <filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class> 

       <init-param>

         <param-name>allow</param-name>

         <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>

       </init-param>

     </filter>

     <filter-mapping>

       <filter-name>Remote Address Filter</filter-name>

       <url-pattern>/sru/*</url-pattern>

     </filter-mapping>
This is more-or-less a copy/paste from the documentation at https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter <https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter>, but the url-pattern is presenting me some problems.
There are (for various business reasons) planned to be two applications on this Tomcat – one at “/sru/…” and one not.
The one at “/sru” needs to have a filter applied to stop it being accessed from non-whitelisted sources. The other application is public.
Or, I need to do some development work to integrate with our corporate authentication mechanism – for requests that have already been authenticated and are arriving from another, internal, server. To me, that seems like a waste of time. 

If I adjust the url-pattern to:

       <url-pattern>/*</url-pattern>
… then all access from other clients for both applications get an http/403 response. No surprise, there. 

If I make the pattern:

       <url-pattern>/sru/*</url-pattern>
               (or some variations thereof – “sru”, “/sru”, “/sru/”, “/sru*”, …) 

… then both applications are equally accessible from other clients.

Is what I’m trying to do possible?

                I’m using Tomcat 9.0.54.

If it should work – can anyone spot what I’ve missed?

Thanks,

Tim
What is the context path of your web application? The filter should ignore the context-path and only look at URLs relative to that context-path.
So if you your context-path is /sru then you really just want to look at /* and not /sru*
The other question is "which web.xml are you editing"? If you are editing the one in CATALINA_BASE/conf/web.xml then that's the wrong one as it applies to all web applications... but again the URLs will all be relative to their individual context-paths. 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to