I think this means, no remote http access, but allow admins remote desktop access. Once in a local desktop sessions, allow the http access since the request comes from local host
This issue is get remote address usually returns a non loop back ip address, even if the url was to localhost On Feb 27, 2018 6:27 AM, "Mark Thomas" <ma...@apache.org> wrote: > On 27/02/18 08:29, Vasantharaju Trichy wrote: > > Tomcat version 7.0.82 | Windows > > > > > > > > We have a requirement such that admins(tomcat users) need to login > remotely > > to the machine where Tomcat is hosted and access tomcat webapp to perform > > certain action or see certain pages . These pages or actions are not > > permitted if users login remotely > > This requirement makes no sense. > > "...need to login remotely..." > and > "...are not permitted if users login remotely..." > > are mutually exclusive. > > The logical answer to your question is unplug the box and your > requirements are guaranteed to be met. > > I suspect, however, that you have not correctly stated your > requirements. What did you really mean? > > > Mark > > > > > > > > > > Initially thought *request.getRemoteAddr* can be used determine actual > > client ip is local or not but looks like based *X-Forwarded-For* header > it > > is easy to spoof *request.getRemoteAddr* . The spoofing is possible even > > from trusted internal proxies > > > > > > > > So thought *request.getServerName* is reliable than > *request.getRemoteAddr* > > > > > > > > But *HOST* header can be spoofed to reflect *request.getServerName* > > > > > > > > Strangely Tomcat honors HOST header to update request. getServerName . > > > > > > > > I strongly feel this is a tomcat issue or let us know how can we > reliably > > determine if the request is originated from local or this is something > not > > possible > > > > > > > > > > > > Thanks in advance, > > > > Vasanth > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
