I'm running Tomcat 6 to serve several web apps, most of which are public-facing. But I'd like to restrict access to just one webapp, allowing connections only from localhost.

I can restrict access for all webapps using a valve in context.xml, as described in:

• Tomcat Restrict access by IP address

But I can't figure out how to restrict access on a per-app basis. Is there a way to开发者_开发百科 do this with my app's web.xml? Or by adding additional rules to context.xml?

Thanks,

-B

Recapping Solution:

$ cp /var/lib/tomcat6/conf/context.xml \ 
   /var/lib/tomcat6/conf/Catalina/localhost/my-app-name.xml

$ cat /var/lib/tomcat6/conf/Catalina/localhost/my-app-name.xml

<Context>
    <Valve className="org.apache.catalina.valves.RemoteHostValve" allow="localhost"/>
... {as previously} ...
</Context>

You can create an individual context.xml for you app.

This is an excerpt from Tomcat doc on context configuraion: Context elements may be explicitly defined:

• In the $CATALINA_HOME/conf/context.xml file: the Context element information will be loaded by all webapps. In the $CATALINA_HOME/conf/[enginename]/[hostname]/context.xml.default file: the Context element information will be loaded by all webapps of that host.
• In individual files (with a .xml extension) in the $CATALINA_HOME/conf/[enginename]/[hostname]/ directory. The name of the file (less the .xml) extension will be used as the context path. Multi-level context paths may be defined using #, e.g. foo#bar.xml for a context path of /foo/bar. The default web application may be defined by using a file called ROOT.xml.
• Only if a context file does not exist for the application in the $CATALINA_HOME/conf/[enginename]/[hostname]/; in an individual file at /META-INF/context.xml inside the application files. If the web application is packaged as a WAR then /META-INF/context.xml will be copied to $CATALINA_HOME/conf/[enginename]/[hostname]/ and renamed to match the application's context path. Once this file exists, it will not be replaced if a new WAR with a newer /META-INF/context.xml is placed in the host's appBase.

Allowing localhost didn't work for me. I use RemoteAddrValve instead. Keep in mind that some systems use IPv4 addresses (your filter has to match match 127.0.0.1) while others use IPv6 addresses (match the full address, not abbreviated notations like ::1).

<Context>
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
           allow="0:0:0:0:0:0:0:1,127\.0\.0\.1" />
</Context>

The attribute allow takes a regexp, so dots need to be escaped. As explained by Dmitry Negoda, this goes in /META-INF/context.xml.

Goto following path: C:\Program Files\Apache Software Foundation\Tomcat 6.0\conf\Catalina\localhost\

Under this path you find " manager.xml " file.

Edit " manager.xml " file,with following content:

  <Valve className="org.apache.catalina.valves.RemoteAddrValve" 
   allow="127.0.0.1,10.100.1.2"/>

  <!-- Link to the user database we will get roles from
  <ResourceLink name="users" global="UserDatabase" 
    type="org.apache.catalina.UserDatabase"/>
  -->

****** save and run server....You got it. NOTE : 127.0.0.1 MEANS YOUR SYSTEM IP 10.100.1.2 -THIS IS YOUR FRIEND