You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Francis GALIEGUE <fg...@one2team.com> on 2011/09/14 17:10:45 UTC
tomcat 7.0.21: bug in RemoteAddrValve?
Hello,
I have a base Tomcat install with only the manager webapp in it at
startup (I deploy other webapps using it in text mode) but since I
upgraded from 7.0.16 to 7.0.21, the manager no longer works with the
RemoteAddrValve.
The context.xml is:
----
<Context docBase="/usr/share/tomcat7/webapps/manager"
antiResourceLocking="false" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1|::1"/>
</Context>
----
This worked fine with 7.0.16 and doesn't work anymore with 7.0.21, I
get 403 each time... Anyone seeing the same problem?
--
Francis Galiegue
ONE2TEAM
Ingénieur système
Mob : +33 (0) 683 877 875
Tel : +33 (0) 178 945 552
fge@one2team.com
40 avenue Raymond Poincaré
75116 Paris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by André Warnier <aw...@ice-sa.com>.
Francis GALIEGUE wrote:
> On Wed, Sep 14, 2011 at 17:28, André Warnier <aw...@ice-sa.com> wrote:
>> Francis GALIEGUE wrote:
> [...]
>>> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
>>> allow="127\.0\.0\.1|::1"/>
> [...]
>> Maybe try to modify that regexp somewhat, like to
>> allow="(127\.0\.0\.1)|(::1)"
>> or
>> allow="127\.0\.0\.1|\:\:1"
>> just in case the regexp library version changed, and it now interprets the
>> original expression slightly differently ?
>
> Nope... I also tried 127\.0\.0\.1 alone and no dice.
>
> I'll try your two other suggestions but if any works, it means the
> regex engine used is seriously buggy!
>
>> Could it also be that previously, Tomcat saw an IPv4 address and it worked,
>> but now it sees an IPv6 address and the "::1" part in fact never worked, but
>> was never used before ?
>>
>
> The machine has IPv4 only. I just put in the ::1 in prevision of a not
> so distant future...
>
> But maybe it is some other part of the configuration (server.xml?
> default context.xml?) which needs to be changed?
>
Not that I know of. As far as I know, the <Valve> element can be placed inside of the
Manager's context.xml, and should then affect only the Manager app.
And it worked before, didn't it ?
Plus, you say that you are getting a 403 error. If the <Valve> was being ignored, I
believe you would not get that error. So it looks like the Valve gets triggered, but it
finds a Remote address other than 127.0.0.1.
Now sorry to ask, but you /are/ connecting to Tomcat from the same host as the Tomcat
host, are you ? without any front-end in front of Tomcat ?
Also, isn't there anything in the logs ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by Francis GALIEGUE <fg...@one2team.com>.
On Thu, Sep 15, 2011 at 10:26, Francis GALIEGUE <fg...@one2team.com> wrote:
[...]
>
> I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it
> does work...
>
Which makes me think: the documentation SHOULD specify that regexes in
the "allow" and "deny" parameters of the valve are ANCHORED.
That's a pity, since it means you cannot really use the full power of regexes...
--
Francis Galiegue
ONE2TEAM
Ingénieur système
Mob : +33 (0) 683 877 875
Tel : +33 (0) 178 945 552
fge@one2team.com
40 avenue Raymond Poincaré
75116 Paris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by Francis GALIEGUE <fg...@one2team.com>.
On Thu, Sep 15, 2011 at 14:54, André Warnier <aw...@ice-sa.com> wrote:
[...]
>
> One difficulty with implementing an Apache httpd-like scheme is that, in
> httpd, the order of the allow/deny plays a big role, and preserving the
> order is generally more difficult in XML.
>
Which is why there is "Order" ;)
> But maybe just this : the "localhost" case is so frequent, that maybe it
> could just be a separate attribute in the Valve, like :
> localhostAllow="true/false" or even localhost="allow/deny"
> and internally match any form of localhost.
> That may allow for some optimisation. I'm sure the impact would be tiny,
> but since this is code that gets invoked at just every request and generally
> quite early, it may be significant.
>
I was rather thinking about a completely new valve, allowing to
specify CIDR ranges, subdomains, etc etc. It is certainly doable.
--
Francis Galiegue
ONE2TEAM
Ingénieur système
Mob : +33 (0) 683 877 875
Tel : +33 (0) 178 945 552
fge@one2team.com
40 avenue Raymond Poincaré
75116 Paris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by André Warnier <aw...@ice-sa.com>.
Francis GALIEGUE wrote:
> On Thu, Sep 15, 2011 at 14:25, André Warnier <aw...@ice-sa.com> wrote:
> [...]
>>> OK, I've found the bug...
>>>
>>> I have added an access log valve and here is what I see in it:
>>>
>>> [15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403
>>> GET //manager/text/list HTTP/1.0
>>>
>>> That explains it. So, I do have IPv6, but the valve doesn't recognize
>>> ::1 as being equivalent to the fully expanded IPv6 address... If it
>>> only tries and matches the regex, the behaviour is therefore normal.
>> Aha. So I do get a Debugger Bonus Point after all.
>>
>
> Yes, indeed. Even though I have NETWORKING_IPV6=no in
> /etc/sysconfig/network. Bah.
>
>>> I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it
>>> does work...
>>>
>>> So, PEBKAC mostly, but I think Tomcat should be able to treat reduced
>>> IPv6 address formats.
>>>
>> That would mean that both the address configured in the Valve, and the
>> client address, would need to be "canonicalised" and then compared.
>> You'll probably see the traditional "patches are welcome" soon.
>>
>> On the other hand, using a regexp provides for quite a bit of flexibility
>> regarding ranges of addresses. You could use something like :
>> "(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)"
>>
>
> Well, checking address ranges would be _much_ easier if regexes were
> not anchored...
>
> But anyway, the "allow" and "deny" as they exist currently just don't
> cut the mustard, and are far from being as potent as, say Apache's
> Allow from and Deny from. This should be the goal.
> RemoteAddrValveEvolved?
>
One difficulty with implementing an Apache httpd-like scheme is that, in httpd, the order
of the allow/deny plays a big role, and preserving the order is generally more difficult
in XML.
But maybe just this : the "localhost" case is so frequent, that maybe it could just be a
separate attribute in the Valve, like : localhostAllow="true/false" or even
localhost="allow/deny"
and internally match any form of localhost.
That may allow for some optimisation. I'm sure the impact would be tiny, but since this
is code that gets invoked at just every request and generally quite early, it may be
significant.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by Francis GALIEGUE <fg...@one2team.com>.
On Thu, Sep 15, 2011 at 14:25, André Warnier <aw...@ice-sa.com> wrote:
[...]
>>
>> OK, I've found the bug...
>>
>> I have added an access log valve and here is what I see in it:
>>
>> [15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403
>> GET //manager/text/list HTTP/1.0
>>
>> That explains it. So, I do have IPv6, but the valve doesn't recognize
>> ::1 as being equivalent to the fully expanded IPv6 address... If it
>> only tries and matches the regex, the behaviour is therefore normal.
>
> Aha. So I do get a Debugger Bonus Point after all.
>
Yes, indeed. Even though I have NETWORKING_IPV6=no in
/etc/sysconfig/network. Bah.
>>
>> I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it
>> does work...
>>
>> So, PEBKAC mostly, but I think Tomcat should be able to treat reduced
>> IPv6 address formats.
>>
>
> That would mean that both the address configured in the Valve, and the
> client address, would need to be "canonicalised" and then compared.
> You'll probably see the traditional "patches are welcome" soon.
>
> On the other hand, using a regexp provides for quite a bit of flexibility
> regarding ranges of addresses. You could use something like :
> "(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)"
>
Well, checking address ranges would be _much_ easier if regexes were
not anchored...
But anyway, the "allow" and "deny" as they exist currently just don't
cut the mustard, and are far from being as potent as, say Apache's
Allow from and Deny from. This should be the goal.
RemoteAddrValveEvolved?
--
Francis Galiegue
ONE2TEAM
Ingénieur système
Mob : +33 (0) 683 877 875
Tel : +33 (0) 178 945 552
fge@one2team.com
40 avenue Raymond Poincaré
75116 Paris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/9/15 André Warnier <aw...@ice-sa.com>:
> Konstantin Kolinko wrote:
>>
>> 2011/9/15 André Warnier <aw...@ice-sa.com>:
>>>
>>> On the other hand, using a regexp provides for quite a bit of flexibility
>>> regarding ranges of addresses. You could use something like :
>>> "(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)"
>>
>> Just 127\.0\.0\.1
>> It is XML - no need to double the slashes.
>
> For XML parsing not. But then it becomes a String, and this String is
> passed to the regexp engine..
> And the regexp engine will interpret "." as "any character", while it
> interprets "\." as "a dot character".
> So, are you sure ?
String needs double "\" when it is written in Java sources or in
properties files. Double slash becomes single slash when the class is
compiled or when the properties file is read.
When it is in memory it does not need the double slashes.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by André Warnier <aw...@ice-sa.com>.
Konstantin Kolinko wrote:
> 2011/9/15 André Warnier <aw...@ice-sa.com>:
>> On the other hand, using a regexp provides for quite a bit of flexibility
>> regarding ranges of addresses. You could use something like :
>> "(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)"
>
> Just 127\.0\.0\.1
> It is XML - no need to double the slashes.
For XML parsing not. But then it becomes a String, and this String is passed to the
regexp engine..
And the regexp engine will interpret "." as "any character", while it interprets "\." as
"a dot character".
So, are you sure ?
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/9/15 André Warnier <aw...@ice-sa.com>:
> On the other hand, using a regexp provides for quite a bit of flexibility
> regarding ranges of addresses. You could use something like :
> "(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)"
Just 127\.0\.0\.1
It is XML - no need to double the slashes.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by André Warnier <aw...@ice-sa.com>.
Francis GALIEGUE wrote:
> On Thu, Sep 15, 2011 at 10:06, Francis GALIEGUE <fg...@one2team.com> wrote:
>> On Wed, Sep 14, 2011 at 20:49, Mark Eggers <it...@yahoo.com> wrote:
>> [...]
>>> I've not tried this in Tomcat, but here's a thought.
>>>
>>> According to:
>>>
>>> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter
>>>
>>>
>>> Tomcat uses java.util.regex for pattern matching. This means that if you want a string regular expression to include a ".", you'll end up entering it as \\.
>>>
>>> Try using "127\\.0\\.0\\.1|::1" and see if that fixes your problem.
>>>
>>> I have no idea why it would work in previous versions (have not checked the change log).
>>>
>>> . . . . just my two cents.
>> Yep, fair enough. But in this case "\." would have expanded to a dot
>> and it would have matched anyway.
>>
>> @André: I do connect from localhost using wget, mainly:
>>
>> wget -O - -nv --http-user=xxxx --http-password=xxxx
>> http://localhost:8080//manager/text/list
>>
>> But even so, using "127\\.0\\.0\\.1", I get 403... There definitely is
>> something broken :(
>>
>
> OK, I've found the bug...
>
> I have added an access log valve and here is what I see in it:
>
> [15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403
> GET //manager/text/list HTTP/1.0
>
> That explains it. So, I do have IPv6, but the valve doesn't recognize
> ::1 as being equivalent to the fully expanded IPv6 address... If it
> only tries and matches the regex, the behaviour is therefore normal.
Aha. So I do get a Debugger Bonus Point after all.
>
> I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it
> does work...
>
> So, PEBKAC mostly, but I think Tomcat should be able to treat reduced
> IPv6 address formats.
>
That would mean that both the address configured in the Valve, and the client address,
would need to be "canonicalised" and then compared.
You'll probably see the traditional "patches are welcome" soon.
On the other hand, using a regexp provides for quite a bit of flexibility regarding ranges
of addresses. You could use something like :
"(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)"
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by Francis GALIEGUE <fg...@one2team.com>.
On Thu, Sep 15, 2011 at 10:06, Francis GALIEGUE <fg...@one2team.com> wrote:
> On Wed, Sep 14, 2011 at 20:49, Mark Eggers <it...@yahoo.com> wrote:
> [...]
>>
>> I've not tried this in Tomcat, but here's a thought.
>>
>> According to:
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter
>>
>>
>> Tomcat uses java.util.regex for pattern matching. This means that if you want a string regular expression to include a ".", you'll end up entering it as \\.
>>
>> Try using "127\\.0\\.0\\.1|::1" and see if that fixes your problem.
>>
>> I have no idea why it would work in previous versions (have not checked the change log).
>>
>> . . . . just my two cents.
>
> Yep, fair enough. But in this case "\." would have expanded to a dot
> and it would have matched anyway.
>
> @André: I do connect from localhost using wget, mainly:
>
> wget -O - -nv --http-user=xxxx --http-password=xxxx
> http://localhost:8080//manager/text/list
>
> But even so, using "127\\.0\\.0\\.1", I get 403... There definitely is
> something broken :(
>
OK, I've found the bug...
I have added an access log valve and here is what I see in it:
[15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403
GET //manager/text/list HTTP/1.0
That explains it. So, I do have IPv6, but the valve doesn't recognize
::1 as being equivalent to the fully expanded IPv6 address... If it
only tries and matches the regex, the behaviour is therefore normal.
I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it
does work...
So, PEBKAC mostly, but I think Tomcat should be able to treat reduced
IPv6 address formats.
--
Francis Galiegue
ONE2TEAM
Ingénieur système
Mob : +33 (0) 683 877 875
Tel : +33 (0) 178 945 552
fge@one2team.com
40 avenue Raymond Poincaré
75116 Paris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by Francis GALIEGUE <fg...@one2team.com>.
On Wed, Sep 14, 2011 at 20:49, Mark Eggers <it...@yahoo.com> wrote:
[...]
>
> I've not tried this in Tomcat, but here's a thought.
>
> According to:
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter
>
>
> Tomcat uses java.util.regex for pattern matching. This means that if you want a string regular expression to include a ".", you'll end up entering it as \\.
>
> Try using "127\\.0\\.0\\.1|::1" and see if that fixes your problem.
>
> I have no idea why it would work in previous versions (have not checked the change log).
>
> . . . . just my two cents.
Yep, fair enough. But in this case "\." would have expanded to a dot
and it would have matched anyway.
@André: I do connect from localhost using wget, mainly:
wget -O - -nv --http-user=xxxx --http-password=xxxx
http://localhost:8080//manager/text/list
But even so, using "127\\.0\\.0\\.1", I get 403... There definitely is
something broken :(
--
Francis Galiegue
ONE2TEAM
Ingénieur système
Mob : +33 (0) 683 877 875
Tel : +33 (0) 178 945 552
fge@one2team.com
40 avenue Raymond Poincaré
75116 Paris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by André Warnier <aw...@ice-sa.com>.
Mark Eggers wrote:
...
>
> Try using "127\\.0\\.0\\.1|::1" and see if that fixes your problem.
>
Of course ! I missed that one.
> I have no idea why it would work in previous versions (have not checked the change log).
>
neither have I.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by Mark Eggers <it...@yahoo.com>.
----- Original Message -----
> From: Francis GALIEGUE <fg...@one2team.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc:
> Sent: Wednesday, September 14, 2011 8:42 AM
> Subject: Re: tomcat 7.0.21: bug in RemoteAddrValve?
>
> On Wed, Sep 14, 2011 at 17:28, André Warnier <aw...@ice-sa.com> wrote:
>> Francis GALIEGUE wrote:
> [...]
>>> <Valve
> className="org.apache.catalina.valves.RemoteAddrValve"
>>> allow="127\.0\.0\.1|::1"/>
> [...]
>>>
>> Maybe try to modify that regexp somewhat, like to
>> allow="(127\.0\.0\.1)|(::1)"
>> or
>> allow="127\.0\.0\.1|\:\:1"
>> just in case the regexp library version changed, and it now interprets the
>> original expression slightly differently ?
>
> Nope... I also tried 127\.0\.0\.1 alone and no dice.
>
> I'll try your two other suggestions but if any works, it means the
> regex engine used is seriously buggy!
>
>> Could it also be that previously, Tomcat saw an IPv4 address and it worked,
>> but now it sees an IPv6 address and the "::1" part in fact never
> worked, but
>> was never used before ?
>>
>
> The machine has IPv4 only. I just put in the ::1 in prevision of a not
> so distant future...
>
> But maybe it is some other part of the configuration (server.xml?
> default context.xml?) which needs to be changed?
>
I've not tried this in Tomcat, but here's a thought.
According to:
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter
Tomcat uses java.util.regex for pattern matching. This means that if you want a string regular expression to include a ".", you'll end up entering it as \\.
Try using "127\\.0\\.0\\.1|::1" and see if that fixes your problem.
I have no idea why it would work in previous versions (have not checked the change log).
. . . . just my two cents.
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by Francis GALIEGUE <fg...@one2team.com>.
On Wed, Sep 14, 2011 at 17:28, André Warnier <aw...@ice-sa.com> wrote:
> Francis GALIEGUE wrote:
[...]
>> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
>> allow="127\.0\.0\.1|::1"/>
[...]
>>
> Maybe try to modify that regexp somewhat, like to
> allow="(127\.0\.0\.1)|(::1)"
> or
> allow="127\.0\.0\.1|\:\:1"
> just in case the regexp library version changed, and it now interprets the
> original expression slightly differently ?
Nope... I also tried 127\.0\.0\.1 alone and no dice.
I'll try your two other suggestions but if any works, it means the
regex engine used is seriously buggy!
> Could it also be that previously, Tomcat saw an IPv4 address and it worked,
> but now it sees an IPv6 address and the "::1" part in fact never worked, but
> was never used before ?
>
The machine has IPv4 only. I just put in the ::1 in prevision of a not
so distant future...
But maybe it is some other part of the configuration (server.xml?
default context.xml?) which needs to be changed?
--
Francis Galiegue
ONE2TEAM
Ingénieur système
Mob : +33 (0) 683 877 875
Tel : +33 (0) 178 945 552
fge@one2team.com
40 avenue Raymond Poincaré
75116 Paris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.21: bug in RemoteAddrValve?
Posted by André Warnier <aw...@ice-sa.com>.
Francis GALIEGUE wrote:
> Hello,
>
> I have a base Tomcat install with only the manager webapp in it at
> startup (I deploy other webapps using it in text mode) but since I
> upgraded from 7.0.16 to 7.0.21, the manager no longer works with the
> RemoteAddrValve.
>
> The context.xml is:
>
> ----
> <Context docBase="/usr/share/tomcat7/webapps/manager"
> antiResourceLocking="false" privileged="true">
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.0\.0\.1|::1"/>
> </Context>
> ----
>
> This worked fine with 7.0.16 and doesn't work anymore with 7.0.21, I
> get 403 each time... Anyone seeing the same problem?
>
Maybe try to modify that regexp somewhat, like to
allow="(127\.0\.0\.1)|(::1)"
or
allow="127\.0\.0\.1|\:\:1"
just in case the regexp library version changed, and it now interprets the original
expression slightly differently ?
Could it also be that previously, Tomcat saw an IPv4 address and it worked, but now it
sees an IPv6 address and the "::1" part in fact never worked, but was never used before ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org