You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Scott,Tim" <Ti...@oclc.org> on 2022/03/21 20:47:41 UTC
Re: [External] Re: RemoteAddrFilter (org.apache.catalina.filters)
Hi Chris and Mark,
As Mark spotted, I'm editing the conf/web.xml file.
If I move this to the application's web.xml, is there any way it can be overridden by the Tomcat configuration?
Ideally, I'd like it to be somehow configurable by the person deploying it.
Alternatively, can it be configured programmatically?
I could then read a setting from the database.
(Apologies for not describing all the requirements at the outset - users, eh?)
Thanks,
Tim
--
Tim Scott
OCLC · Senior OLIB Software Engineer
City Gate · 8 St. Mary's Gate · Sheffield S1 4LW · United Kingdom
cc: IT file
________________________________
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Monday, March 21, 2022 8:14 pm
To: users@tomcat.apache.org
Subject: [External] Re: RemoteAddrFilter (org.apache.catalina.filters)
Tim,
On 3/21/22 13:51, Scott,Tim wrote:
> Hi all,
>
> I’ve been trying to get this to work for a bit without any luck.
>
> What I’ve arrived at, in my main Tomcat web.xml, is:
>
> <web-app xmlns=http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>
> <http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>>
>
> xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>
> <http://www.w3.org/2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>>
>
> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>
>
> http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd<http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd>
> <http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd<http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd>>"
>
> version="4.0">
>
> <filter>
>
> <filter-name>Remote Address Filter</filter-name>
>
>
> <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
>
> <init-param>
>
> <param-name>allow</param-name>
>
> <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
>
> </init-param>
>
> </filter>
>
> <filter-mapping>
>
> <filter-name>Remote Address Filter</filter-name>
>
> <url-pattern>/sru/*</url-pattern>
>
> </filter-mapping>
>
> This is more-or-less a copy/paste from the documentation at
> https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter<https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter>
> <https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter<https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter>>,
> but the url-pattern is presenting me some problems.
>
> There are (for various business reasons) planned to be two applications
> on this Tomcat – one at “/sru/…” and one not.
>
> The one at “/sru” needs to have a filter applied to stop it being
> accessed from non-whitelisted sources. The other application is public.
>
> Or, I need to do some development work to integrate with our corporate
> authentication mechanism – for requests that have already been
> authenticated and are arriving from another, internal, server. To me,
> that seems like a waste of time.
>
> If I adjust the url-pattern to:
>
> <url-pattern>/*</url-pattern>
>
> … then all access from other clients for both applications get an
> http/403 response. No surprise, there.
>
> If I make the pattern:
>
> <url-pattern>/sru/*</url-pattern>
>
> (or some variations thereof – “sru”, “/sru”, “/sru/”,
> “/sru*”, …)
>
> … then both applications are equally accessible from other clients.
>
> Is what I’m trying to do possible?
>
> I’m using Tomcat 9.0.54.
>
> If it should work – can anyone spot what I’ve missed?
>
> Thanks,
>
> Tim
What is the context path of your web application? The filter should
ignore the context-path and only look at URLs relative to that context-path.
So if you your context-path is /sru then you really just want to look at
/* and not /sru*
The other question is "which web.xml are you editing"? If you are
editing the one in CATALINA_BASE/conf/web.xml then that's the wrong one
as it applies to all web applications... but again the URLs will all be
relative to their individual context-paths.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [External] Re: RemoteAddrFilter (org.apache.catalina.filters)
Posted by Mark Thomas <ma...@apache.org>.
On 21/03/2022 20:47, Scott,Tim wrote:
> Hi Chris and Mark,
>
> As Mark spotted, I'm editing the conf/web.xml file.
>
> If I move this to the application's web.xml, is there any way it can be overridden by the Tomcat configuration?
> Ideally, I'd like it to be somehow configurable by the person deploying it.
You can do that but you need to switch from using a Filter to using a
Valve. Valves can configured in context.xml files. Assuming the web app
doesn't already have a context.xml file, that would probably be the
easiest way to do this.
Mark
>
> Alternatively, can it be configured programmatically?
> I could then read a setting from the database.
>
> (Apologies for not describing all the requirements at the outset - users, eh?)
>
> Thanks,
> Tim
>
> --
>
> Tim Scott
>
> OCLC · Senior OLIB Software Engineer
> City Gate · 8 St. Mary's Gate · Sheffield S1 4LW · United Kingdom
>
> cc: IT file
>
>
> ________________________________
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Monday, March 21, 2022 8:14 pm
> To: users@tomcat.apache.org
> Subject: [External] Re: RemoteAddrFilter (org.apache.catalina.filters)
>
> Tim,
>
> On 3/21/22 13:51, Scott,Tim wrote:
>> Hi all,
>>
>> I’ve been trying to get this to work for a bit without any luck.
>>
>> What I’ve arrived at, in my main Tomcat web.xml, is:
>>
>> <web-app xmlns=http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>
>> <http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>>
>>
>> xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>
>> <http://www.w3.org/2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>>
>>
>> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>
>>
>> http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd<http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd>
>> <http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd<http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd>>"
>>
>> version="4.0">
>>
>> <filter>
>>
>> <filter-name>Remote Address Filter</filter-name>
>>
>>
>> <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
>>
>> <init-param>
>>
>> <param-name>allow</param-name>
>>
>> <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
>>
>> </init-param>
>>
>> </filter>
>>
>> <filter-mapping>
>>
>> <filter-name>Remote Address Filter</filter-name>
>>
>> <url-pattern>/sru/*</url-pattern>
>>
>> </filter-mapping>
>>
>> This is more-or-less a copy/paste from the documentation at
>> https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter<https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter>
>> <https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter<https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter>>,
>> but the url-pattern is presenting me some problems.
>>
>> There are (for various business reasons) planned to be two applications
>> on this Tomcat – one at “/sru/…” and one not.
>>
>> The one at “/sru” needs to have a filter applied to stop it being
>> accessed from non-whitelisted sources. The other application is public.
>>
>> Or, I need to do some development work to integrate with our corporate
>> authentication mechanism – for requests that have already been
>> authenticated and are arriving from another, internal, server. To me,
>> that seems like a waste of time.
>>
>> If I adjust the url-pattern to:
>>
>> <url-pattern>/*</url-pattern>
>>
>> … then all access from other clients for both applications get an
>> http/403 response. No surprise, there.
>>
>> If I make the pattern:
>>
>> <url-pattern>/sru/*</url-pattern>
>>
>> (or some variations thereof – “sru”, “/sru”, “/sru/”,
>> “/sru*”, …)
>>
>> … then both applications are equally accessible from other clients.
>>
>> Is what I’m trying to do possible?
>>
>> I’m using Tomcat 9.0.54.
>>
>> If it should work – can anyone spot what I’ve missed?
>>
>> Thanks,
>>
>> Tim
>
> What is the context path of your web application? The filter should
> ignore the context-path and only look at URLs relative to that context-path.
>
> So if you your context-path is /sru then you really just want to look at
> /* and not /sru*
>
> The other question is "which web.xml are you editing"? If you are
> editing the one in CATALINA_BASE/conf/web.xml then that's the wrong one
> as it applies to all web applications... but again the URLs will all be
> relative to their individual context-paths.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [External] Re: RemoteAddrFilter (org.apache.catalina.filters)
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Tim,
On 3/22/22 05:33, Scott,Tim wrote:
> Hi Chris and Mark,
>
> Thank you both for your input.
>
> I arrived at an sru.xml file in conf\Catalina\localhost, containing:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Context>
>
> <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> addConnectorPort="true"
> allow="10\.\d+\.\d+\.\d+;8443|.*;8080"/>
>
> <!-- other configuration here -->
>
> </Context>
>
> This means that private IPs (just those stating with 10.) can connect on port 8443; any IP on port 8080. It’s there as a reminder that this can be done – my first test was limiting to (locahost);8443, similar to the example in the documentation, but allowed me to confirm that I can/cannot connect depending which port I use. This gave me confidence in the config.
>
> Now I’m reminded why I wanted it to be configurable – it’s behind a load balancer in production and I don’t know what the load balancer is going to deliver as I don’t have one in my development environment. I also don’t know the network route the calling service will take.
If all requests (even "local" ones) will be going through the
load-balancer (or even not, I guess), then you should configure the
RemoteIpValve[1]. This will allow the load balancer to send you the
original IP of the actual client through HTTP headers, and those will be
used in log files, etc.
I *think* it will use those same remote IPs for your RemoteAddrValve,
but you must make sure to have the RemoteIPValve configured to run
*before* the RemoteAddrValve so that the addresses have a chance to be
copied from those headers before they are evaluated for local-ness.
Ask your LB operator to enable the "X-Forwarded-For" header on the LB
which is how that information it typically sent to back-end servers.
Hope that helps,
-chris
[1]
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve
>
> Thanks,
> Tim
>
> --
> Tim Scott
> OCLC · Senior Software Engineer / Technical Product Manager
>
> cc: IT file
>
> OCLC COVID-19 resources: oc.lc/covid19-service-info<https://oc.lc/covid19-service-info>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [External] Re: RemoteAddrFilter (org.apache.catalina.filters)
Posted by "Scott,Tim" <Ti...@oclc.org>.
Hi Chris and Mark,
Thank you both for your input.
I arrived at an sru.xml file in conf\Catalina\localhost, containing:
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
addConnectorPort="true"
allow="10\.\d+\.\d+\.\d+;8443|.*;8080"/>
<!-- other configuration here -->
</Context>
This means that private IPs (just those stating with 10.) can connect on port 8443; any IP on port 8080. It’s there as a reminder that this can be done – my first test was limiting to (locahost);8443, similar to the example in the documentation, but allowed me to confirm that I can/cannot connect depending which port I use. This gave me confidence in the config.
Now I’m reminded why I wanted it to be configurable – it’s behind a load balancer in production and I don’t know what the load balancer is going to deliver as I don’t have one in my development environment. I also don’t know the network route the calling service will take.
Thanks,
Tim
--
Tim Scott
OCLC · Senior Software Engineer / Technical Product Manager
cc: IT file
OCLC COVID-19 resources: oc.lc/covid19-service-info<https://oc.lc/covid19-service-info>
Re: [External] Re: RemoteAddrFilter (org.apache.catalina.filters)
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Tim,
On 3/21/22 16:47, Scott,Tim wrote:
> Hi Chris and Mark,
>
> As Mark spotted, I'm editing the conf/web.xml file.
>
> If I move this to the application's web.xml, is there any way it can
> be overridden by the Tomcat configuration? Ideally, I'd like it to be
> somehow configurable by the person deploying it.
You mean, you want the deployer/administrator to be able to configure
this and NOT HAVE the application packager override that configuration,
right?
I think maybe you want to se the Remote Address Valve[1] and not Filter.
Valves can be configured in the application's META-INF/context.xml file,
and those files can be specified by the deployer and will override
whatever comes packaged in the web application.
Stick a file in CATALINA_BASE/conf/[service]/[engine]/[appname].xml and
configure the Valve there, and the application won't overwrite that file
unless you un-deploy the application and re-deploy it.
Another option would be to configure the Valve at the <Engine> or <Host>
level in your conf/server.xml file. that way it's all in one place. But
it applies to *all* applications when you do it this way; you don't
specify a <url-pattern> for a Valve, for example.
> Alternatively, can it be configured programmatically?
I don't see a reason to do this programmatically, unless you are using
Embedded Tomcat already.
> I could then read a setting from the database.
Well, if that's a fun thing or you to do, then sure, programmatically
would allow you to do this kind of thing ;))
> (Apologies for not describing all the requirements at the outset - users, eh?)
No problem.
-chris
[1]
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Address_Valve
> ________________________________
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Monday, March 21, 2022 8:14 pm
> To: users@tomcat.apache.org
> Subject: [External] Re: RemoteAddrFilter (org.apache.catalina.filters)
>
> Tim,
>
> On 3/21/22 13:51, Scott,Tim wrote:
>> Hi all,
>>
>> I’ve been trying to get this to work for a bit without any luck.
>>
>> What I’ve arrived at, in my main Tomcat web.xml, is:
>>
>> <web-app xmlns=http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>
>> <http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>>
>>
>> xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>
>> <http://www.w3.org/2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>>
>>
>> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee<http://xmlns.jcp.org/xml/ns/javaee>
>>
>> http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd<http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd>
>> <http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd<http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd>>"
>>
>> version="4.0">
>>
>> <filter>
>>
>> <filter-name>Remote Address Filter</filter-name>
>>
>>
>> <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
>>
>> <init-param>
>>
>> <param-name>allow</param-name>
>>
>> <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
>>
>> </init-param>
>>
>> </filter>
>>
>> <filter-mapping>
>>
>> <filter-name>Remote Address Filter</filter-name>
>>
>> <url-pattern>/sru/*</url-pattern>
>>
>> </filter-mapping>
>>
>> This is more-or-less a copy/paste from the documentation at
>> https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter<https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter>
>> <https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter<https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Remote_Address_Filter>>,
>> but the url-pattern is presenting me some problems.
>>
>> There are (for various business reasons) planned to be two applications
>> on this Tomcat – one at “/sru/…” and one not.
>>
>> The one at “/sru” needs to have a filter applied to stop it being
>> accessed from non-whitelisted sources. The other application is public.
>>
>> Or, I need to do some development work to integrate with our corporate
>> authentication mechanism – for requests that have already been
>> authenticated and are arriving from another, internal, server. To me,
>> that seems like a waste of time.
>>
>> If I adjust the url-pattern to:
>>
>> <url-pattern>/*</url-pattern>
>>
>> … then all access from other clients for both applications get an
>> http/403 response. No surprise, there.
>>
>> If I make the pattern:
>>
>> <url-pattern>/sru/*</url-pattern>
>>
>> (or some variations thereof – “sru”, “/sru”, “/sru/”,
>> “/sru*”, …)
>>
>> … then both applications are equally accessible from other clients.
>>
>> Is what I’m trying to do possible?
>>
>> I’m using Tomcat 9.0.54.
>>
>> If it should work – can anyone spot what I’ve missed?
>>
>> Thanks,
>>
>> Tim
>
> What is the context path of your web application? The filter should
> ignore the context-path and only look at URLs relative to that context-path.
>
> So if you your context-path is /sru then you really just want to look at
> /* and not /sru*
>
> The other question is "which web.xml are you editing"? If you are
> editing the one in CATALINA_BASE/conf/web.xml then that's the wrong one
> as it applies to all web applications... but again the URLs will all be
> relative to their individual context-paths.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org