Hi Chris and Mark, As Mark spotted, I'm editing the conf/web.xml file.
If I move this to the application's web.xml, is there any way it can be overridden by the Tomcat configuration? Ideally, I'd like it to be somehow configurable by the person deploying it. Alternatively, can it be configured programmatically? I could then read a setting from the database. (Apologies for not describing all the requirements at the outset - users, eh?) Thanks, Tim -- Tim Scott OCLC · Senior OLIB Software Engineer City Gate · 8 St. Mary's Gate · Sheffield S1 4LW · United Kingdom cc: IT file ________________________________ From: Christopher Schultz <ch...@christopherschultz.net> Sent: Monday, March 21, 2022 8:14 pm To: users@tomcat.apache.org Subject: [External] Re: RemoteAddrFilter (org.apache.catalina.filters) Tim, On 3/21/22 13:51, Scott,Tim wrote: > Hi all, > > I’ve been trying to get this to work for a bit without any luck. > > What I’ve arrived at, in my main Tomcat web.xml, is: > > <web-app > xmlns=http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee> > <http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>> > > > xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance> > <http://www.w3.org/2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>> > > > xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee> > > http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd<http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd> > <http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd<http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd>>" > > version="4.0"> > > <filter> > > <filter-name>Remote Address Filter</filter-name> > > > <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class> > > <init-param> > > <param-name>allow</param-name> > > <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value> > > </init-param> > > </filter> > > <filter-mapping> > > <filter-name>Remote Address Filter</filter-name> > > <url-pattern>/sru/*</url-pattern> > > </filter-mapping> > > This is more-or-less a copy/paste from the documentation at > https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter<https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter> > <https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter<https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter>>, > but the url-pattern is presenting me some problems. > > There are (for various business reasons) planned to be two applications > on this Tomcat – one at “/sru/…” and one not. > > The one at “/sru” needs to have a filter applied to stop it being > accessed from non-whitelisted sources. The other application is public. > > Or, I need to do some development work to integrate with our corporate > authentication mechanism – for requests that have already been > authenticated and are arriving from another, internal, server. To me, > that seems like a waste of time. > > If I adjust the url-pattern to: > > <url-pattern>/*</url-pattern> > > … then all access from other clients for both applications get an > http/403 response. No surprise, there. > > If I make the pattern: > > <url-pattern>/sru/*</url-pattern> > > (or some variations thereof – “sru”, “/sru”, “/sru/”, > “/sru*”, …) > > … then both applications are equally accessible from other clients. > > Is what I’m trying to do possible? > > I’m using Tomcat 9.0.54. > > If it should work – can anyone spot what I’ve missed? > > Thanks, > > Tim What is the context path of your web application? The filter should ignore the context-path and only look at URLs relative to that context-path. So if you your context-path is /sru then you really just want to look at /* and not /sru* The other question is "which web.xml are you editing"? If you are editing the one in CATALINA_BASE/conf/web.xml then that's the wrong one as it applies to all web applications... but again the URLs will all be relative to their individual context-paths. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
