-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hubert,
Hubert de Heer wrote:
> If you really, really need the manager webapp, you can restrict access
> to that one not only by password but also by source-ip, e.g. access is
> only allowed from your office IP.
>
> In server.xml:
> <Context path="/manager"
> docBase="${catalina.home}/server/webapps/manager" debug="0"
> privileged="true">
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="<office_ip>"/>
> </Context>
This is a really bad <Context> declaration for several reasons:
1a. It is defined in server.xml. The OP is using Tomcat 6.x. You aren't
supposed to do this anymore - not since TC 5.5 at least.
1b. You are specifying the "path" to the application, which is a no-no
these days. Tomcat can detect the deployment path of the application
from the name of the directory (or WAR file or XML file).
2. You are explicitly deploying a webapp from the webapps directory.
Since Tomcat typically has autoDeploy="true", you'll end up
deploying the application twice. This is confusing at best and
insecure at the worst (because the "winning" deployment may not
have that RemoteAddrValve configured).
To sum up, you should:
1. Use META-INF/context.xml if you want to use autoDeploy="true"
to add your RemoteAddrFilter.
2. Use conf/[engine]/[host]/[appname].xml if you don't want to use
autoDeploy="true" or if you want to deploy your application from
somewhere other than the auto-deploy webapps directory.
3. Stop using "path" and "docBase".
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmAobYACgkQ9CaO5/Lv0PDgggCeKmqBTFW7OVMEJSTSPReUNDj6
3LcAn313qpJGMG2NDjXwt3k4wqW2aHYU
=GRtt
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
