Tomcat Valve settings

Question

Hi %,

I'm stuck with sort of a configuration issue I think. I need to protect a folder which is within my actual tomcat application from access from a certain IP range.

I thought this was serverfault, so I posted the question there. Right now I'm not sure whether this is SO or SF anyways...

Nevertheless I kept on trying geting it going by myself and figured that I need to set the

org.apache.catalina.valves.RemoteAddrValve

for that folder of mine. Sadly I just can't get where I need to make that setting. web.xml, server.xml ? Tried both, null success. Could anyone pls help me out on this.

tia

K

Answer 1

It should go inside your <Context> element in server.xml:

<Context
    path="/tcadmin"
    docBase="${catalina.home}/server/webapps/admin"
    privileged="true"
>
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
        allow="127\.0\.0\.1"
    />
</Context>

Just remember, that the string values are regex patterns, so special regex characters ( e.g. dot(.) ) has to be escaped with backslashes.

EDIT: in reply to OP's comment. I think you need to implement a FILTER in your web app and configure it to accept or reject requests based on their remote address IP. Remote address can be retrieved from ServletRequest object passed into doFilter method.

You declare a filter in your web.xml file:

<filter>
  <filter-name>GatekeeperFilter</filter-name>
  <filter-class>your.package.GatekeeperFilter</filter-class>
  <init-param>
    <param-name>allowedNetwork</param-name>
    <param-value>192\.168\.2\.*</param-value>
  </init-param>
</filter>

<filter-mapping>
  <filter-name>GatekeeperFilter</filter-name>
  <url-pattern>/path/to/protected/folder</url-pattern>
</filter-mapping>

Read the linked article about what need to be done to accept init parameters. I think for your decision making you can shamelessly copy the code from the RequestDumperValve.

Answer 2

You need to put it in the <Context> element which definies the webapplication in question.

For Tomcat it can be several places, under each the webapp-specific (and webapp-controlled) /META-INF/context.xml or the server-specific (and server-controlled) /conf/[enginename]/[hostname]/context.xml or the server-specific global /conf/context.xml or the host-specific /conf/server.xml. Also see the Tomcat Context documentation.

Answer 3

The Tomcat Valve can be applied to the whole Engine, the Host or a specific Context (webapp). You have to use it for you whole app, not specific path or directories.

You should set it in your META-INF/context.xml or your context fragment in conf/Catalina/[host] directory. For example,

<Context path="/myapp" ...>
  ...
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="10.1.2.*"/>
</Context>

Answer 4

Had the same need as you (but for other reasons) last week and created a valve to block requests by path. It's based off of org.apache.catalina.valves.RequestFilterValve.

Usage:

<Valve className="se.qbranch.tomcat.valve.BlockAccessByPathValve" path="/manager/.*" allow="127\.0\.0\.1"/>

The valve can be used in Engine, Host or Context just as any valve and is available on GitHub. http://github.com/xlson/tomcat-valves

I would suggest using the default tomcat valves or servlet filters in your application if that solves your problem. The reason we needed a custom valve was that some parts of the tomcat management application Psi-Probe would "leak out" even though we used the RemoteAddrValve in the <Context> element of the application.