Tim,
On 3/21/22 16:47, Scott,Tim wrote:
Hi Chris and Mark,
As Mark spotted, I'm editing the conf/web.xml file.
If I move this to the application's web.xml, is there any way it can
be overridden by the Tomcat configuration? Ideally, I'd like it to be
somehow configurable by the person deploying it.
You mean, you want the deployer/administrator to be able to configure
this and NOT HAVE the application packager override that configuration,
right?
I think maybe you want to se the Remote Address Valve[1] and not Filter.
Valves can be configured in the application's META-INF/context.xml file,
and those files can be specified by the deployer and will override
whatever comes packaged in the web application.
Stick a file in CATALINA_BASE/conf/[service]/[engine]/[appname].xml and
configure the Valve there, and the application won't overwrite that file
unless you un-deploy the application and re-deploy it.
Another option would be to configure the Valve at the <Engine> or <Host>
level in your conf/server.xml file. that way it's all in one place. But
it applies to *all* applications when you do it this way; you don't
specify a <url-pattern> for a Valve, for example.
Alternatively, can it be configured programmatically?
I don't see a reason to do this programmatically, unless you are using
Embedded Tomcat already.
I could then read a setting from the database.
Well, if that's a fun thing or you to do, then sure, programmatically
would allow you to do this kind of thing ;))
(Apologies for not describing all the requirements at the outset - users, eh?)
No problem.
-chris
[1]
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Address_Valve
________________________________
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Monday, March 21, 2022 8:14 pm
To: users@tomcat.apache.org
Subject: [External] Re: RemoteAddrFilter (org.apache.catalina.filters)
Tim,
On 3/21/22 13:51, Scott,Tim wrote:
Hi all,
I’ve been trying to get this to work for a bit without any luck.
What I’ve arrived at, in my main Tomcat web.xml, is:
<web-app
xmlns=http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>
<http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>>
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>
<http://www.w3.org/2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>>
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd<http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd>
<http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd<http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd>>"
version="4.0">
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/sru/*</url-pattern>
</filter-mapping>
This is more-or-less a copy/paste from the documentation at
https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter<https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter>
<https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter<https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter>>,
but the url-pattern is presenting me some problems.
There are (for various business reasons) planned to be two applications
on this Tomcat – one at “/sru/…” and one not.
The one at “/sru” needs to have a filter applied to stop it being
accessed from non-whitelisted sources. The other application is public.
Or, I need to do some development work to integrate with our corporate
authentication mechanism – for requests that have already been
authenticated and are arriving from another, internal, server. To me,
that seems like a waste of time.
If I adjust the url-pattern to:
<url-pattern>/*</url-pattern>
… then all access from other clients for both applications get an
http/403 response. No surprise, there.
If I make the pattern:
<url-pattern>/sru/*</url-pattern>
(or some variations thereof – “sru”, “/sru”, “/sru/”,
“/sru*”, …)
… then both applications are equally accessible from other clients.
Is what I’m trying to do possible?
I’m using Tomcat 9.0.54.
If it should work – can anyone spot what I’ve missed?
Thanks,
Tim
What is the context path of your web application? The filter should
ignore the context-path and only look at URLs relative to that context-path.
So if you your context-path is /sru then you really just want to look at
/* and not /sru*
The other question is "which web.xml are you editing"? If you are
editing the one in CATALINA_BASE/conf/web.xml then that's the wrong one
as it applies to all web applications... but again the URLs will all be
relative to their individual context-paths.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
