Hi Mark and Guru, Many thanks for both your replies.
Mark Thomas <[EMAIL PROTECTED]> wrote: > The allow and deny fields take regular expressions. '.' is reserved > and needs to escaped. Take a look at the java.util.regex javadoc OK, I was going by the info found here: http://tomcat.apache.org/tomcat-5.5-doc/config/host.html#Request%20Filters The documentation states that the filters are specified by regexes, but then goes on to give an example where a glob pattern is used. I'm familiar with regexes, and for these particular patterns I would expect the same result whether the periods were escaped or not. I just tried it and this is indeed the case, so I'm none the wiser. On Wed, 2007-04-18 at 09:56 +0100, Raghupathy, Gurumoorthy wrote: > Best thing to do is front apache http server listening on port 80 to > forward request to tomcat using mod_jk. A colleague suggested this solution already. He then proceeded to give two whole pages of instructions on how to set it up. I can see that it will work but it seems an incredibly complicated way to get a feature that I should be able to achieve with just a few lines in the Tomcat configuration file. > You can then use "allow and deny" in your web server (apache http > server) to control the access for specific URLs ..... this far more easy > to maintain :) Far more easy to maintain than what? Either I can get the setup I need with a combination of directives in the Tomcat configuration, in which case I'm all done, or else I can't, in which case I have to maintain a separate Apache installation on my server. The latter certainly sounds like the bigger headache to me (and yes, I am familiar with running Apache). > Have a look at http://httpd.apache.org/docs/2.0/mod/core.html (allow > from and deny from) > And http://tomcat.apache.org/faq/connectors.html for mod_jk stuff ... > Please do not use mod_jk2.... > > If you want more info please let us know ... I'd feel a lot more comfortable going the mod_jk route if somebody in the know could vouch for one of the following statements: a) "The access policy you propose cannot be achieved within the Tomcat configuration, and a separate security manager is necessary - eg. Apache +mod_jk" and/or b) "Tomcat should not be used directly as a public web server, and it is advisable to run it behind an Apache instance" (the FAQ referenced above is non-committal on this point, which is understandable but still leaves me none the wiser :-( ) If either of those is true then I can comfortably justify (to myself, my boss, and my network admin) the setup you suggest. If not, then I'm back to asking how access can be controlled from within Tomcat, as this still seems to me the simpler way. Many thanks again, TIM > ------------------------------------------------------------------------ > ----------- > -----Original Message----- > From: Tim Booth [mailto:[EMAIL PROTECTED] > Sent: 17 April 2007 19:11 > To: users@tomcat.apache.org > Subject: Host-based access to web applications > > Dear All, > > I'm hoping someone on this list can help me out. > > I'm running Tomcat 5.5.20 on a staging server (192.171.160.186), which > means that I want to be able to open some features to the world at large > but restrict others to my own trusted machines for internal use. > Specifically, my desired configuration is: > > 1) ROOT web application open to the world, so people can see my custom > front page > > 2) "/mibbi" webapp open to the world, as this is the actual thing I'm > developing and showing to beta testers > > 3) Everything else, including the /manager area and /exist (the XML > database RPC interface) should be off limits to all but a set of > explicitly listed IP addresses - ie. localhost and my own box, > (192.171.160.155). > > Starting with a pretty-much default Tomcat installation, and based on > the info in the Tomcat manual, I've added the following to the <Host> > section in server.xml > > SNIP>>> > > <!-- Default rule - Restrict most services to trusted hosts: > localhost and texugo --> > <Context path=""> > <Valve className="org.apache.catalina.valves.RemoteAddrValve" > allow="127.0.0.1,192.171.160.155,192.171.160.186" > deny=""/> > </Context> > > <!-- I want to allow public access to the front page on the site --> > <Context path="/ROOT" > > <Valve className="org.apache.catalina.valves.RemoteAddrValve" > allow=".*" deny="" /> > </Context> > > <!-- Allow MIBBI area access from anyone --> > <Context path="/mibbi" > > <Valve className="org.apache.catalina.valves.RemoteAddrValve" > allow=".*" deny="" /> > </Context> > > <<<SNIP > > With the above settings in place I try to access the server from another > 'untrusted' machine (192.171.174.146) but I get the following results: > > http://192.171.160.186:8080/ - access denied (!) > http://192.171.160.186:8080/manager/html - access granted (!) > http://192.171.160.186:8080/exist - access granted (!) > http://192.171.160.186:8080/mibbi - access granted > > So I have only succeeded in blocking access to the front page, which is > one of the two areas I wanted to leave unblocked. I've tried several > permutations on the above, but with no more joy. Can anyone suggest a > correct configuration, or an alternative way of getting what I want? > > Many thanks in advance, > > TIM > > -- > Tim Booth <[EMAIL PROTECTED]> > NEBC at CEH Oxford > > > -- > This message (and any attachments) is for the recipient only. NERC > is subject to the Freedom of Information Act 2000 and the contents > of this email and any reply you make may be disclosed by NERC unless > it is exempt from release under the Act. Any material supplied to > NERC may be stored in an electronic records management system. > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- Tim Booth <[EMAIL PROTECTED]> NEBC at CEH Oxford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
