Hi Vasanth,
Am 27.02.2018 09:29, schrieb Vasantharaju Trichy:
Tomcat version 7.0.82 | Windows
We have a requirement such that admins(tomcat users) need to login
remotely
to the machine where Tomcat is hosted and access tomcat webapp to
perform
certain action or see certain pages . These pages or actions are not
permitted if users login remotely
Initially thought *request.getRemoteAddr* can be used determine actual
client ip is local or not but looks like based *X-Forwarded-For* header
it
is easy to spoof *request.getRemoteAddr* . The spoofing is possible
even
from trusted internal proxies
So thought *request.getServerName* is reliable than
*request.getRemoteAddr*
But *HOST* header can be spoofed to reflect *request.getServerName*
Strangely Tomcat honors HOST header to update request. getServerName .
I strongly feel this is a tomcat issue or let us know how can we
reliably
determine if the request is originated from local or this is something
not
possible
Thanks in advance,
Vasanth
Do you need to protect only single pages or the whole app? Did you check
"Remote Address Filter"
https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter?
But: nevertheless request.getRemoteAddr(); can not be spoofed! That is
the origin of the request - that will be your data you need to check for
localhost. If you'd need to identify non-admin-requests from remote and
get the "real" ip, this may be more difficult and may need to handle
X-Forward-headers.
Looking at the code of the Valve you would find the necessary handling
for X-Forward-Header.
request.getServerName does not identify the client! That is the target
host name and is irrelevant for your app.
Best regards
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
