On Tue, Jan 20, 2015 at 5:09 PM, Mark Thomas <ma...@apache.org> wrote:
> The Apache Tomcat team announces the immediate availability of Apache > Tomcat 8.0.17. > > - The RemoteAddrValve and RemoteHostValve can now optionally include > the port when filtering along with a new option to trigger > authentication rather than denying access > > There are no links on the changelog page for these and I was hoping to see some details about why this option was added. "Optionally trigger authentication instead of denial in RemoteAddrValve and RemoteHostValve" http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_Address_Filter "The behavior when a request is refused can be changed to not deny but instead set an invalid authentication header" Example #3 "To allow unrestricted access to port 8009, but trigger basic authentication if the application is accessed on another port:" I'm trying to understand this kind of setup. If an IP has been allowed to pass through via a Filter to a restricted resource, wouldn't the user get the container configured authentication dialog anyway?
