Re: Authenticate requests from localhost using tomcat RemoteAddrFilter

Mon, 24 Sep 2012 20:22:21 -0700

One of the platform team's filter was overriding the remote address with actual ip :( I removed their filter and verified. 
Apologies and thanks everyone for their time.

Thanks

On 9/24/12 11:58 AM, Christopher Schultz wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jaikit,

On 9/22/12 6:04 PM, Jaikit Savla wrote:

I have some admin api's which I want to have restricted access

I think you mean APIs. "admin api's which" is a possessive even a
native English speaker can't figure out.


- such that only if the request originates from localhost - it will
execute. For that I am using tomcat's RemoteAddrfilter

<filter> <filter-name>Remote Address Filter</filter-name> ...
<param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
... </filter>

Now when I execute the request from localhost - request fails with
403. Reason being "REMOTE_ADDR" is set with actual ip of the
machine and filter does string comparison of ip. Hence it fails.

How do you do the request? If it's like this:


-bash-4.1$ curl -v http://localhost/ws/local/info * About to
connect() to localhost port 80 (#0) *   Trying 127.0.0.1...
connected * Connected to localhost (127.0.0.1) port 80 (#0)

GET /ws/local/vip/info HTTP/1.1 User-Agent: curl/7.21.7
(x86_64-unknown-linux-gnu) libcurl/7.21.7 OpenSSL/0.9.8o
zlib/1.2.3 libidn/1.18 libssh2/1.2.2 Host: localhost Accept: */*


< HTTP/1.1 403 Forbidden

...then I don't understand why you aren't getting 127.0.0.1 as the
REMOTE_ADDR. Do you have anything weird in /etc/hosts like 'localhost
108.13.226.208' or any folishness with the routing table which makes
localhost take the long route through ethX?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBgrU4ACgkQ9CaO5/Lv0PALmgCgwlIRgtaGRhsM03gvfDguTGJ8
VpEAoKNpwD+zNmvBBsIqxv2/IngmAt1T
=ExFV
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to