Best thing to do is front apache http server listening on port 80 to forward request to tomcat using mod_jk.
You can then use "allow and deny" in your web server (apache http server) to control the access for specific URLs ..... this far more easy to maintain :) Have a look at http://httpd.apache.org/docs/2.0/mod/core.html (allow from and deny from) And http://tomcat.apache.org/faq/connectors.html for mod_jk stuff ... Please do not use mod_jk2.... If you want more info please let us know ... Regards Guru ------------------------------------------------------------------------ ----------- Gurumoorthy Raghupathy Email : [EMAIL PROTECTED] ------------------------------------------------------------------------ ----------- -----Original Message----- From: Tim Booth [mailto:[EMAIL PROTECTED] Sent: 17 April 2007 19:11 To: users@tomcat.apache.org Subject: Host-based access to web applications Dear All, I'm hoping someone on this list can help me out. I'm running Tomcat 5.5.20 on a staging server (192.171.160.186), which means that I want to be able to open some features to the world at large but restrict others to my own trusted machines for internal use. Specifically, my desired configuration is: 1) ROOT web application open to the world, so people can see my custom front page 2) "/mibbi" webapp open to the world, as this is the actual thing I'm developing and showing to beta testers 3) Everything else, including the /manager area and /exist (the XML database RPC interface) should be off limits to all but a set of explicitly listed IP addresses - ie. localhost and my own box, (192.171.160.155). Starting with a pretty-much default Tomcat installation, and based on the info in the Tomcat manual, I've added the following to the <Host> section in server.xml SNIP>>> <!-- Default rule - Restrict most services to trusted hosts: localhost and texugo --> <Context path=""> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1,192.171.160.155,192.171.160.186" deny=""/> </Context> <!-- I want to allow public access to the front page on the site --> <Context path="/ROOT" > <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=".*" deny="" /> </Context> <!-- Allow MIBBI area access from anyone --> <Context path="/mibbi" > <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=".*" deny="" /> </Context> <<<SNIP With the above settings in place I try to access the server from another 'untrusted' machine (192.171.174.146) but I get the following results: http://192.171.160.186:8080/ - access denied (!) http://192.171.160.186:8080/manager/html - access granted (!) http://192.171.160.186:8080/exist - access granted (!) http://192.171.160.186:8080/mibbi - access granted So I have only succeeded in blocking access to the front page, which is one of the two areas I wanted to leave unblocked. I've tried several permutations on the above, but with no more joy. Can anyone suggest a correct configuration, or an alternative way of getting what I want? Many thanks in advance, TIM -- Tim Booth <[EMAIL PROTECTED]> NEBC at CEH Oxford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]