Tomcat: Restrict access to localhost for /just one/ webapp
I'm running Tomcat 6 to serve several web apps, most of which are public-facing. But I'd like to restrict access to just one webapp, allowing connections only from localhost.
I can restrict access for all webapps using a valve in context.xml, as described in:
- Tomcat Restrict access by IP address
But I can't figure out how to restrict access on a per-app basis. Is there a way to开发者_开发百科 do this with my app's web.xml? Or by adding additional rules to context.xml?
Thanks,
-B
Recapping Solution:
$ cp /var/lib/tomcat6/conf/context.xml \
/var/lib/tomcat6/conf/Catalina/localhost/my-app-name.xml
$ cat /var/lib/tomcat6/conf/Catalina/localhost/my-app-name.xml
<Context>
<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="localhost"/>
... {as previously} ...
</Context>
You can create an individual context.xml for you app.
This is an excerpt from Tomcat doc on context configuraion: Context elements may be explicitly defined:
- In the
$CATALINA_HOME/conf/context.xml
file: the Context element information will be loaded by all webapps. In the$CATALINA_HOME/conf/[enginename]/[hostname]/context.xml.default
file: the Context element information will be loaded by all webapps of that host. - In individual files (with a
.xml
extension) in the$CATALINA_HOME/conf/[enginename]/[hostname]/
directory. The name of the file (less the.xml
) extension will be used as the context path. Multi-level context paths may be defined using#
, e.g.foo#bar.xml
for a context path of/foo/bar
. The default web application may be defined by using a file calledROOT.xml
. - Only if a context file does not exist for the application in the
$CATALINA_HOME/conf/[enginename]/[hostname]/
; in an individual file at/META-INF/context.xml
inside the application files. If the web application is packaged as a WAR then/META-INF/context.xml
will be copied to$CATALINA_HOME/conf/[enginename]/[hostname]/
and renamed to match the application's context path. Once this file exists, it will not be replaced if a new WAR with a newer/META-INF/context.xml
is placed in the host's appBase.
Allowing localhost
didn't work for me. I use RemoteAddrValve
instead. Keep in mind that some systems use IPv4 addresses (your filter has to match match 127.0.0.1
) while others use IPv6 addresses (match the full address, not abbreviated notations like ::1
).
<Context>
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="0:0:0:0:0:0:0:1,127\.0\.0\.1" />
</Context>
The attribute allow
takes a regexp, so dots need to be escaped. As explained by Dmitry Negoda, this goes in /META-INF/context.xml
.
Goto following path: C:\Program Files\Apache Software Foundation\Tomcat 6.0\conf\Catalina\localhost\
Under this path you find " manager.xml " file.
Edit " manager.xml " file,with following content:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.0.0.1,10.100.1.2"/>
<!-- Link to the user database we will get roles from
<ResourceLink name="users" global="UserDatabase"
type="org.apache.catalina.UserDatabase"/>
-->
****** save and run server....You got it. NOTE : 127.0.0.1 MEANS YOUR SYSTEM IP 10.100.1.2 -THIS IS YOUR FRIEND
精彩评论