Thank you all for replies and detailed explanation. Now I understand
what's happening. My specific problem is restrict a single web
application to clients coming from localhost only. This was not working
(everything blocked):
<Context>
<Valve className="org.apache.catalina.valves.RemoteHostValve"
allow="localhost"/>
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1" deny="" />
</Context>
I am using a Mac and, after your replies, I tried to see what
request.getRemoteAddr() and request.getRemoteHost(). Well, it turns out
that they both return "0:0:0:0:0:0:0:1%0", so now everything works with:
<Context>
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1,0:0:0:0:0:0:0:1\%0" deny="" />
</Context>
Moreover, André's reply is pretty convincing, although it seems to imply
that RemoteHostValve should be avoided (isn't DNS reverse lookup
cached?) and cannot be chained with RemoteAddrValve. Of course one can
do what you suggests, although this is a bit impractical in large
networks where one wouldn't like to care about IP changes of symbolic
names. Worse, I don't see what I could do to grant access to single PCs
in those LANs where users have fixed host names for their PCs, but
DHCP-assigned IPs (OK, maybe it's a theoretical case, I would probably
switch to user/password).
Cheers.
Marco.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
