Hi,
My webapp have a set of resources, let's call that set R. Some of those
resources need to be accessed only from certain source IP addresses,
let's call that subset R'. And some subset of R' (let's call it R'')
needs authentication.
I have a reqirement to check source IP address before authentication.
Right now, R' is specified in web.xml RemoteAddrFilter <url-pattern>s,
and R'' is specified in web.xml <security-constraint> <url-pattern>s.
The problem is, filters are executed after container-managed
authentication, so login form is presented to the user before
RemoteAddrFilter kicks in, and check source IP address. That is not what
I need. Users outside trusted IP ranges should not be able to even know
about the protected resources, let alone to guess passwords.
RemoteAddrValve, on the other hand, is called before container-managed
authentication, but it does not allow specifying <url-pattern>s.
What would be a good solution for the above requirement? Extend
RemoteAddrValve with the ability to specify <url-pattern>s?
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
