On 27/02/18 08:29, Vasantharaju Trichy wrote: > Tomcat version 7.0.82 | Windows > > > > We have a requirement such that admins(tomcat users) need to login remotely > to the machine where Tomcat is hosted and access tomcat webapp to perform > certain action or see certain pages . These pages or actions are not > permitted if users login remotely
This requirement makes no sense. "...need to login remotely..." and "...are not permitted if users login remotely..." are mutually exclusive. The logical answer to your question is unplug the box and your requirements are guaranteed to be met. I suspect, however, that you have not correctly stated your requirements. What did you really mean? Mark > > > > Initially thought *request.getRemoteAddr* can be used determine actual > client ip is local or not but looks like based *X-Forwarded-For* header it > is easy to spoof *request.getRemoteAddr* . The spoofing is possible even > from trusted internal proxies > > > > So thought *request.getServerName* is reliable than *request.getRemoteAddr* > > > > But *HOST* header can be spoofed to reflect *request.getServerName* > > > > Strangely Tomcat honors HOST header to update request. getServerName . > > > > I strongly feel this is a tomcat issue or let us know how can we reliably > determine if the request is originated from local or this is something not > possible > > > > > > Thanks in advance, > > Vasanth > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
