On Apr 16, 2014, at 1:42 PM, Mark Murphy <jmarkmur...@gmail.com> wrote:
> How do I prevent Tomcat 6 from responding to a request to an IP address, > that is I only want my Tomcat server to respond to requests to > www.mydomain.com vs. 10.1.1.1. Just an idea, but you could probably do this with a filter or a valve. You could try looking at request.getServerName() (or just the host header) and using that to approve or deny the request. Tomcat has a valve that you can sub class to make this easier (if you go with a valve). http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/RequestFilterValve.java?view=markup an example of this is the RemoteHostValve. http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/RemoteHostValve.java?view=markup > > Is this possible? > > The problem is that our web security scanner is reporting "Web Server Uses > Basic Authentication Without HTTPS”, Is basic auth enabled (look through your application’s web.xml files for "auth-method” set to “BASIC”)? If so, is disabling it an option? If not, you should look at setting a "transport-guarantee” of “CONFIDENTIAL” in web.xml so that the application will redirect to HTTPS (or worst case use a filter like the UrlRewriteFilter to force HTTPS). > and the infrastructure guys think it is because Tomcat allows connection to > the IP address. I not sure how this is expected to help. I suppose if the scanner was sending requests using the IP address and not the host, you could filter and block those requests. That might trick the scanner into thinking the server is not accepting basic authentication. I’m not sure how it would address the issue mentioned by the scanner though (assuming the scanner is not at fault here). Dan --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
