You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jonathan Eric Miller <je...@uchicago.edu> on 2001/07/20 19:13:58 UTC

How to restrict access based on IP address?

Anyone know how to restrict access to a servlet based on IP address (using
Tomcat 4 in standalone mode)?

I noticed that there is a class called
"org.apache.catalina.valves.RemoteAddrValve" that appears to do this.

Does anyone know how I would make use of this class. Is it just a matter of
adding some settings to server.xml, or do I need to do something more?

First off, I would be happy to get it to work on a global level where it
restricts access to everything. However, after I figure that out. I want to
figure out how to protect only a specific servlet.

By the way, the goal here is to use Tomcat in standalone mode and not use a
separate Web server. I know how to do this using Apache Web Server, but, I
want to switch to using Tomcat in standalone mode.

Jon

Re: How to restrict access based on IP address?

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Fri, 20 Jul 2001, Jonathan Eric Miller wrote:

> Anyone know how to restrict access to a servlet based on IP address (using
> Tomcat 4 in standalone mode)?
> 
> I noticed that there is a class called
> "org.apache.catalina.valves.RemoteAddrValve" that appears to do this.
> 
> Does anyone know how I would make use of this class. Is it just a matter of
> adding some settings to server.xml, or do I need to do something more?
> 

For details, you might want to check out the Tomcat 4 configuration
reference at the following URL (after you start up Tomcat):

  http://localhost:8080/docs/config/index.html

and select the <Engine>, <Host>, or <Context> elements.  In the "Special
Features" section at the bottom of each of these pages, you will find
examples of how to configure request filters.

> First off, I would be happy to get it to work on a global level where it
> restricts access to everything. However, after I figure that out. I want to
> figure out how to protect only a specific servlet.
> 

Using the standard valve implementation, you can do one of the following:

* Protect all requests processed by Tomcat 4 (nest the <Valve> element
  inside the <Engine>).

* Protect all requests processed by a particular virtual host (nest the
  <Valve> element inside the <Host> for that virtual host).

* Protect all requests processed by a particular web application
  (nest the <Valve> element inside the <Context> for that web app).

If you really wanted to protect things *inside* a web app, the best course
of action would be to write a Filter (using the new javax.servlet.Filter
API in Servlet 2.3) that performs the same sort of functionality that the
RemoteAddrValve and RemoteHostValve classes do).  With filters, you can
map them to the specific request URIs that you want to protect within the
web app.  (As an extra added bonus, filters are portable to all servlet
2.3 containers, while valves are specific to Tomcta 4 :-).

> By the way, the goal here is to use Tomcat in standalone mode and not use a
> separate Web server. I know how to do this using Apache Web Server, but, I
> want to switch to using Tomcat in standalone mode.
> 
> Jon
> 
> 
> 
Craig McClanahan