On 27/02/18 12:06, Alex O'Ree wrote: > I think this means, no remote http access, but allow admins remote desktop > access. Once in a local desktop sessions, allow the http access since the > request comes from local host
Possibly. That is one possible reading of "need to login remotely" vs "not permitted if users login remotely". My guess was that the first phrase was missing a "not" or should have said "locally". Who knows which, if either, of our guesses is correct. Hence my request for clarification. > This issue is get remote address usually returns a non loop back ip > address, even if the url was to localhost. I read the issue the other way around - that the loopback address could be spoofed. Anyway... Olaf has made a number of valid points. I await the answers to those with interest. Mark > > On Feb 27, 2018 6:27 AM, "Mark Thomas" <ma...@apache.org> wrote: > >> On 27/02/18 08:29, Vasantharaju Trichy wrote: >>> Tomcat version 7.0.82 | Windows >>> >>> >>> >>> We have a requirement such that admins(tomcat users) need to login >> remotely >>> to the machine where Tomcat is hosted and access tomcat webapp to perform >>> certain action or see certain pages . These pages or actions are not >>> permitted if users login remotely >> >> This requirement makes no sense. >> >> "...need to login remotely..." >> and >> "...are not permitted if users login remotely..." >> >> are mutually exclusive. >> >> The logical answer to your question is unplug the box and your >> requirements are guaranteed to be met. >> >> I suspect, however, that you have not correctly stated your >> requirements. What did you really mean? >> >> >> Mark >> >> >>> >>> >>> >>> Initially thought *request.getRemoteAddr* can be used determine actual >>> client ip is local or not but looks like based *X-Forwarded-For* header >> it >>> is easy to spoof *request.getRemoteAddr* . The spoofing is possible even >>> from trusted internal proxies >>> >>> >>> >>> So thought *request.getServerName* is reliable than >> *request.getRemoteAddr* >>> >>> >>> >>> But *HOST* header can be spoofed to reflect *request.getServerName* >>> >>> >>> >>> Strangely Tomcat honors HOST header to update request. getServerName . >>> >>> >>> >>> I strongly feel this is a tomcat issue or let us know how can we >> reliably >>> determine if the request is originated from local or this is something >> not >>> possible >>> >>> >>> >>> >>> >>> Thanks in advance, >>> >>> Vasanth >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
