You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Johan Martinez <jm...@gmail.com> on 2010/07/18 06:19:42 UTC
IP based request filters for admin/manager
I was wondering how to configure Request Filters to allow access to admin,
manager, status-report, etc... I followed tomcat doc:
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters
and I was able to restrict access by specifying webapp names, e.g.:
[[[
<Context path="/manager" >
<Valve
className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.0.0.1" deny=""/>
</Context>
]]]
How can I deny access to default welcome/index page, changelog,
release-notes etc.?
I know just restricting access to default welcome/index page does not
restrict access to manager or admin links on that page. Still, I would like
to restrict access to welcome/index page in addition to admin/manager
webapps. I have tried "/" and "/ROOT" and it didn't work.
Any help or suggestions?
Thanks,
jM.
Re: IP based request filters for admin/manager
Posted by André Warnier <aw...@ice-sa.com>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Johan,
>
> On 7/18/2010 11:48 PM, Johan Martinez wrote:
>> Started afresh and got it working finally.
>>
>> I tried with and without escape character and both worked.
>
> Probably because . matches '.'.
Yep. :-)
Johan, if you are still there, a bit more explicitly :
The regexp /123.123.123.123/ will match th string "123.123.123.123", but also the strings
"123#123#123#123" and "123?123X123+123" (and many other similar ones), because in a regexp
a non-escaped "." matches any single character.
On the other hand, the regexp /123\.123\.123\.123/ will only match the string
"123.123.123.123", because escaping the "." by a backslash means "a literal dot".
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IP based request filters for admin/manager
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Johan,
On 7/18/2010 11:48 PM, Johan Martinez wrote:
> Started afresh and got it working finally.
>
> I tried with and without escape character and both worked.
Probably because . matches '.'.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxEwrcACgkQ9CaO5/Lv0PAi4ACgw79srQYS9kezOpXogU/9TrU9
vcIAn1gIBO8SNyJkmml5mKX/KWDCKWNE
=hbFT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IP based request filters for admin/manager
Posted by Johan Martinez <jm...@gmail.com>.
Started afresh and got it working finally.
I tried with and without escape character and both worked.
Thanks,
jM.
On Sun, Jul 18, 2010 at 1:09 PM, Konstantin Kolinko
<kn...@gmail.com>wrote:
> 2010/7/18 Shantanu Pavgi <pa...@uab.edu>:
> >
> > I don't have a solution, but just wanted to comment that examples in the
> doc are correct.
> > See API doc:
> http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/valves/RequestFilterValve.html#allow
> > The 'allow' field uses String expression and 'allows' uses Java Regex
> package.
> >
>
> It is the same value. "allows" is created from "allow", by splitting
> the value at commas and converting each one into a regex.
>
> There is setAllow(..), but there is no setAllows(...) setter method.
>
>
> http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/valves/RequestFilterValve.java?view=markup
>
>
> 143 public void setAllow(String allow) {
> 145 this.allow = allow;
> 146 allows = precalculate(allow);
> 148 }
>
> 218 protected Pattern[] precalculate(String list) {
> (...)
> 232 String pattern = list.substring(0, comma).trim();
> 234 reList.add(Pattern.compile(pattern));
>
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: IP based request filters for admin/manager
Posted by Konstantin Kolinko <kn...@gmail.com>.
2010/7/18 Shantanu Pavgi <pa...@uab.edu>:
>
> I don't have a solution, but just wanted to comment that examples in the doc are correct.
> See API doc: http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/valves/RequestFilterValve.html#allow
> The 'allow' field uses String expression and 'allows' uses Java Regex package.
>
It is the same value. "allows" is created from "allow", by splitting
the value at commas and converting each one into a regex.
There is setAllow(..), but there is no setAllows(...) setter method.
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/valves/RequestFilterValve.java?view=markup
143 public void setAllow(String allow) {
145 this.allow = allow;
146 allows = precalculate(allow);
148 }
218 protected Pattern[] precalculate(String list) {
(...)
232 String pattern = list.substring(0, comma).trim();
234 reList.add(Pattern.compile(pattern));
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: IP based request filters for admin/manager
Posted by Shantanu Pavgi <pa...@uab.edu>.
I don't have a solution, but just wanted to comment that examples in the doc are correct.
See API doc: http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/valves/RequestFilterValve.html#allow
The 'allow' field uses String expression and 'allows' uses Java Regex package.
I have seen similar problems with Tomcat 5.527/28 and 6.0 on CentOS and Ubuntu, but they were not consistent to reproduce. Packages were downloaded from tomcat site and were not platform specific builds. I was running tomcat on non-standard port (not 8080 port) though.
--
Shantanu Pavgi.
________________________________________
From: Konstantin Kolinko [knst.kolinko@gmail.com]
Sent: Sunday, July 18, 2010 11:16 AM
To: Tomcat Users List
Subject: Re: IP based request filters for admin/manager
2010/7/18 Johan Martinez <jm...@gmail.com>:
> I was wondering how to configure Request Filters to allow access to admin,
> manager, status-report, etc... I followed tomcat doc:
> http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters
> and I was able to restrict access by specifying webapp names, e.g.:
> [[[
> <Context path="/manager" >
> <Valve
> className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127.0.0.1" deny=""/>
> </Context>
> ]]]
>
as said in
http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html#Remote%20Address%20Filter
the allow and deny attributes are regular expressions. So, '.' has to
be escaped as '\.'.
(an example in
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters
is wrong)
I would recommend to omit the "deny" attribute instead of setting it
to an empty string.
If there are doubts, the source code for the classes is available.
> * I put following in the $CATALINA_HOME/webapps/ROOT/META-INF/context.xml ,
> but it's not working.
> (...)
> Also, this file is not being copied as
> $CATALINA_HOME/conf/Catalina/localhost/ROOT.xml.
The file in /conf/ takes priority over the one in the webapp's
META-INF, because it can be edited by a local administrator.
The copying from webapp's META-INF to tomcat's conf/ occurs only when
the file in conf/ does not exist, e.g. when a new web application is
deployed.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IP based request filters for admin/manager
Posted by Konstantin Kolinko <kn...@gmail.com>.
2010/7/18 Johan Martinez <jm...@gmail.com>:
> I was wondering how to configure Request Filters to allow access to admin,
> manager, status-report, etc... I followed tomcat doc:
> http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters
> and I was able to restrict access by specifying webapp names, e.g.:
> [[[
> <Context path="/manager" >
> <Valve
> className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127.0.0.1" deny=""/>
> </Context>
> ]]]
>
as said in
http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html#Remote%20Address%20Filter
the allow and deny attributes are regular expressions. So, '.' has to
be escaped as '\.'.
(an example in
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters
is wrong)
I would recommend to omit the "deny" attribute instead of setting it
to an empty string.
If there are doubts, the source code for the classes is available.
> * I put following in the $CATALINA_HOME/webapps/ROOT/META-INF/context.xml ,
> but it's not working.
> (...)
> Also, this file is not being copied as
> $CATALINA_HOME/conf/Catalina/localhost/ROOT.xml.
The file in /conf/ takes priority over the one in the webapp's
META-INF, because it can be edited by a local administrator.
The copying from webapp's META-INF to tomcat's conf/ occurs only when
the file in conf/ does not exist, e.g. when a new web application is
deployed.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IP based request filters for admin/manager
Posted by Johan Martinez <jm...@gmail.com>.
The first line should have been:
I was wondering how to configure Request Filters to s/allow/RESTRICT/ access
to admin, manager, status-report, etc.. :)
jM.
On Sat, Jul 17, 2010 at 11:19 PM, Johan Martinez <jm...@gmail.com> wrote:
> I was wondering how to configure Request Filters to allow access to admin,
> manager, status-report, etc... I followed tomcat doc:
> http://tomcat.apache.org/tomcat-5.5-doc/config/context.html#Request_Filters
> and I was able to restrict access by specifying webapp names, e.g.:
> [[[
> <Context path="/manager" >
> <Valve
> className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127.0.0.1" deny=""/>
> </Context>
> ]]]
>
> How can I deny access to default welcome/index page, changelog,
> release-notes etc.?
>
> I know just restricting access to default welcome/index page does not
> restrict access to manager or admin links on that page. Still, I would like
> to restrict access to welcome/index page in addition to admin/manager
> webapps. I have tried "/" and "/ROOT" and it didn't work.
>
> Any help or suggestions?
>
> Thanks,
> jM.
>
>
>
>
>
Re: IP based request filters for admin/manager
Posted by Johan Martinez <jm...@gmail.com>.
* I put following in the $CATALINA_HOME/webapps/ROOT/META-INF/context.xml ,
but it's not working.
<Context>
<Value className="org.apache.catalina.valves.RemoteAddrValue"
allow="ip.addr." deny=""/>
</Context>
Also, this file is not being copied as
$CATALINA_HOME/conf/Catalina/localhost/ROOT.xml.
* In addition to above file , I modified
$CATALINA_HOME/conf/Catalina/localhost/manager.xml and
$CATALINA_HOME/conf/Catalina/localhost/host-manager.xml as well, but that's
not working either.
Am I missing anything?
--
jM.
On Sun, Jul 18, 2010 at 1:00 AM, Johan Martinez <jm...@gmail.com> wrote:
>
> Thanks for the suggestions Chuck.
>
> Below is my reply inline.
>
> As you may have guessed out I am a newbie and this is turning out to be
> really interesting and educational. :)
>
> --
> jM.
>
> On Sun, Jul 18, 2010 at 12:31 AM, Caldarale, Charles R <
> Chuck.Caldarale@unisys.com> wrote:
>
>>
>> > From: Johan Martinez [mailto:jmartiee@gmail.com]
>> > Subject: Re: IP based request filters for admin/manager
>> >
>> > I don't want to replace the default ROOT webapp, in other
>> > words, I don't want my specific webapp to be ROOT app.
>>
>> A little odd, but if that's your choice...
>>
>
>
> There are multiple webapps and all are being deployed/accessed using some
> specific names. Clients are configured with these specific URL patterns. So
> ROOT webapp is not needed.
>
>
>
>> > But I would like to restrict/hide information normally
>> > exposed by the default ROOT webapp.
>>
>> All of what Tomcat's default ROOT has, or just some of it?
>>
>> For all of it, just place a <Context> element in
>> webapps/ROOT/META-INF/context.xml, configuring the valve you already know
>> about. (Do not use path or docBase attributes here - they're not allowed.)
>> If you only want to restrict some of it, but don't want to use
>> authentication, you'll need to write a more sophisticated filter. There's
>> no need to move or rename ROOT, unless you're just trying to obscure things
>> (and security through obscurity is a fool's game).
>>
>
> Thanks for pointing out this approach.
>
>
>> > I removed 'manager' from webapps directory.
>>
>> What version of Tomcat are you using? If you're using 5.5.x (hinted at by
>> your previous message's reference to a doc page), the manager webapp is in
>> server/webapps, not the regular webapps directory. If you're using a newer
>> Tomcat (and you probably should be), manager is under the regular webapps
>> directory.
>>
>> > Now I am not able to access http://hostname/manager
>>
>> You never could - that will always get you a 404 (at least until Tomcat
>> 7.0.1 comes out).
>>
>> > but http://hostname/manager/html works.
>>
>> That's the valid URL for the manager GUI. Looks like you didn't really
>> get rid of it.
>>
>
>
> Checked $CATALINA_HOME/conf/Catalina/localhost/manager.xml and found
> "<Context docBase="${catalina.home}/server/webapps/manager" entry. I thought
> I removed manager app, but not really...
>
>
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you received
>> this in error, please contact the sender and delete the e-mail and its
>> attachments from all computers.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: IP based request filters for admin/manager
Posted by Johan Martinez <jm...@gmail.com>.
Thanks for the suggestions Chuck.
Below is my reply inline.
As you may have guessed out I am a newbie and this is turning out to be
really interesting and educational. :)
--
jM.
On Sun, Jul 18, 2010 at 12:31 AM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:
>
> > From: Johan Martinez [mailto:jmartiee@gmail.com]
> > Subject: Re: IP based request filters for admin/manager
> >
> > I don't want to replace the default ROOT webapp, in other
> > words, I don't want my specific webapp to be ROOT app.
>
> A little odd, but if that's your choice...
>
There are multiple webapps and all are being deployed/accessed using some
specific names. Clients are configured with these specific URL patterns. So
ROOT webapp is not needed.
> > But I would like to restrict/hide information normally
> > exposed by the default ROOT webapp.
>
> All of what Tomcat's default ROOT has, or just some of it?
>
> For all of it, just place a <Context> element in
> webapps/ROOT/META-INF/context.xml, configuring the valve you already know
> about. (Do not use path or docBase attributes here - they're not allowed.)
> If you only want to restrict some of it, but don't want to use
> authentication, you'll need to write a more sophisticated filter. There's
> no need to move or rename ROOT, unless you're just trying to obscure things
> (and security through obscurity is a fool's game).
>
Thanks for pointing out this approach.
> > I removed 'manager' from webapps directory.
>
> What version of Tomcat are you using? If you're using 5.5.x (hinted at by
> your previous message's reference to a doc page), the manager webapp is in
> server/webapps, not the regular webapps directory. If you're using a newer
> Tomcat (and you probably should be), manager is under the regular webapps
> directory.
>
> > Now I am not able to access http://hostname/manager
>
> You never could - that will always get you a 404 (at least until Tomcat
> 7.0.1 comes out).
>
> > but http://hostname/manager/html works.
>
> That's the valid URL for the manager GUI. Looks like you didn't really get
> rid of it.
>
Checked $CATALINA_HOME/conf/Catalina/localhost/manager.xml and found
"<Context docBase="${catalina.home}/server/webapps/manager" entry. I thought
I removed manager app, but not really...
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: IP based request filters for admin/manager
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Johan Martinez [mailto:jmartiee@gmail.com]
> Subject: Re: IP based request filters for admin/manager
>
> I don't want to replace the default ROOT webapp, in other
> words, I don't want my specific webapp to be ROOT app.
A little odd, but if that's your choice...
> But I would like to restrict/hide information normally
> exposed by the default ROOT webapp.
All of what Tomcat's default ROOT has, or just some of it?
For all of it, just place a <Context> element in webapps/ROOT/META-INF/context.xml, configuring the valve you already know about. (Do not use path or docBase attributes here - they're not allowed.) If you only want to restrict some of it, but don't want to use authentication, you'll need to write a more sophisticated filter. There's no need to move or rename ROOT, unless you're just trying to obscure things (and security through obscurity is a fool's game).
> I removed 'manager' from webapps directory.
What version of Tomcat are you using? If you're using 5.5.x (hinted at by your previous message's reference to a doc page), the manager webapp is in server/webapps, not the regular webapps directory. If you're using a newer Tomcat (and you probably should be), manager is under the regular webapps directory.
> Now I am not able to access http://hostname/manager
You never could - that will always get you a 404 (at least until Tomcat 7.0.1 comes out).
> but http://hostname/manager/html works.
That's the valid URL for the manager GUI. Looks like you didn't really get rid of it.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IP based request filters for admin/manager
Posted by Johan Martinez <jm...@gmail.com>.
Thanks for the reply Chuck.
I don't want to replace the default ROOT webapp, in other words, I don't
want my specific webapp to be ROOT app. But I would like to restrict/hide
information normally exposed by the default ROOT webapp. I am thinking about
renaming ROOT directory to some other-random-name and restrict access to
other-random-name using IP filtering. Any suggestions or comments?
Also, an unrelated question to IP filtering, but related manager webapp. I
removed 'manager' from webapps directory. Now I am not able to access
http://hostname/manager , but http://hostname/manager/html works. I am not
following how second link is working? Am I missing anything?
Thanks,
jM.
On Sat, Jul 17, 2010 at 11:30 PM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:
> > From: Johan Martinez [mailto:jmartiee@gmail.com]
> > Subject: IP based request filters for admin/manager
> >
> > How can I deny access to default welcome/index page,
> > changelog, release-notes etc.?
>
> If you're deploying Tomcat in any kind of environment that requires
> securing access to various components, you would normally replace the
> default webapp (ROOT) with one of your own, thereby eliminating the
> changelog, release-notes, etc.
>
> If you want to restrict access to specific resources within a webapp, use
> the servlet-spec defined mechanisms to configure security for the webapp.
> (Some familiarity with the servlet spec is required before fooling around
> with a servlet container such as Tomcat.)
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: IP based request filters for admin/manager
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Johan Martinez [mailto:jmartiee@gmail.com]
> Subject: IP based request filters for admin/manager
>
> How can I deny access to default welcome/index page,
> changelog, release-notes etc.?
If you're deploying Tomcat in any kind of environment that requires securing access to various components, you would normally replace the default webapp (ROOT) with one of your own, thereby eliminating the changelog, release-notes, etc.
If you want to restrict access to specific resources within a webapp, use the servlet-spec defined mechanisms to configure security for the webapp. (Some familiarity with the servlet spec is required before fooling around with a servlet container such as Tomcat.)
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org