tags:

views:

205

answers:

2
Q: 

Prevent access to certain webapps in Tomcat6

I asked this on server fault but really havent had much luck, hoping that someone here would be able to offer some advice...

I have a Tomcat 6 server running just fine. I have external access working. I wanted to know how to prevent someone from seeing specific webapps, for example, I dont want external access to the ROOT tomcat page. How would I go about preventing some webapps while leaving other webapps visible to external users ?

Here's what I've tried: This denies everything even 127.0.0.1 requests

<Host name="localhost"  appBase="webapps"
                unpackWARs="true" autoDeploy="true"
                xmlValidation="false" xmlNamespaceAware="false">

    <Context path="/examples" docBase="" >
       <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
    </Context>
  </Host>

This denies everything as well.

<Host name="localhost"  appBase="webapps"
                    unpackWARs="true" autoDeploy="true"
                    xmlValidation="false" xmlNamespaceAware="false">

        <Context path="/examples" docBase="" >
           <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="*"/>
        </Context>
      </Host>

Basically I am trying to prevent access to the ROOT default tomcat page and the example apps....

Any ideas?

+1  A: 

take a look at the documentation. http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html

What you have seems to be correct. it says "If this attribute is specified, the remote address MUST match for this request to be accepted."

One thing you might look at is to see whether 127.0.0.1 is really the correct IP. You might be actually using the actual IP of the box. try adding that IP address after the localhost one.

mlathe  2010-01-27 19:51:11
well on my second example, I have allow="*" which should allow anything and everything. but its still denied.
gmcalab  2010-01-27 19:56:55
You made a good point about double checking the source ip +1
gmcalab  2010-01-27 20:22:02
A: 

You can't use a wild card for the allow attribute...on the other hand you can use one for the deny attribute.

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="*"/>

This is why I was getting a 403 with the above code.

Also another way I handled this was I created a jsp that redirected traffic to wherever I wanted.

gmcalab  2010-01-27 20:23:24

related questions

Implementing Admin Module on Tomcat 6
Tomcat: Caching SWF files with varying query strings
Tomcat cluster fails and generates tons of logs
How to determine the best number of threads in Tomcat?
How to create alias to the host
Avoiding tomcat status report
php java bridge not working on tomcat 6
Configuring Apache Web Server with Tomcat
Is there a practical HTTP Header length limit?
window service auto restart existing tomcat service everday
Tomcat 6 HTTP log rolling and purging
how to make tomcat 6 running mulitple domain with non ROOT application name
Tomcat 6 freezes at startup
Tomcat 6 and log4j application logging produce no output
Tomcat 6 Hot Deploy issue
Error with Tomcat 6 and Tomcat 5.5 Incompatibility
Tomcat startup fails with not a valid identifier
log4j with Tomcat6
Tomcat6, how to interpret stop service event ?
Howto embed Tomcat 6?
Tomcat 6.x Administration
How to deploy a WAR onto an existing Tomcat 6 instance using Cargo?
How to use htpasswd file in Tomcat 6
Problem creating a tomcat 6 server in eclipse form Ubuntu
Eclipse - How can I change a 'Project Facet' from Tomcat 6 to Tomcat 5.5?