开发者

Prevent access to certain webapps in Tomcat6

问答 作者:

I asked this on server fault but really havent had much luck, hoping that someone here would be able to offer some advice...

I have a Tomcat 6 server running just fine. I have external access working. I wanted to know how to prevent someone from seeing specific webapps, for example, I dont want external access to the ROOT tomcat page. How would I go about preventing some webapps while leaving other webapps visible to external users ?

Here's what I've tried: This denies everything even 127.0.0.1 requests

<Host name="localhost"  appBase="webapps"
                unpackWARs="true" autoDeploy="true"
                xmlValidation="false" xmlNamespaceAware="false">

    <Context path="/examples" docBase="" >
       <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
    </Context>
  </Host>

This denies everything as well.

<Host name="localhost"  appBase="webapps"
                    unpackWARs="true" autoDeploy="true"
                    xmlValidation="false" xmlNamespaceAware="false">

        <Context path="/examples" docBase="" >
           <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="*"/>
        </Context>
      </Host>

Basically I am trying to prevent access to the ROOT default tomcat pa开发者_开发技巧ge and the example apps....

Any ideas?

You can't use a wild card for the allow attribute...on the other hand you can use one for the deny attribute.

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="*"/>

This is why I was getting a 403 with the above code.

Also another way I handled this was I created a jsp that redirected traffic to wherever I wanted.

take a look at the documentation. http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html

What you have seems to be correct. it says "If this attribute is specified, the remote address MUST match for this request to be accepted."

One thing you might look at is to see whether 127.0.0.1 is really the correct IP. You might be actually using the actual IP of the box. try adding that IP address after the localhost one.

The value of the "allow" property must be defined using backslashes to escape the dots of the allowed IP address:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1"/>

This could be an IPv6 issue. This is what my tomcat6/Catalina/myApp.xml looks like: 

<!--<?xml version="1.0" encoding="UTF-8"?> -->
<Context path="/myApp" privileged="true">
     <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1,0:0:0:0:0:0:0:1"/>
</Context>

This can be tested by the following which would yield 403 if you're denied access

wget --inet4-only http://localhost:8080/myApp

继续阅读:tomcat6

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9