You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es> on 2013/12/14 19:27:15 UTC
Restrict incoming connections per Application Tomcat 6.0.37
Hello,
I'm developing a permission system in Tomcat and I would like to restrict
incoming connections per application. I mean, I want to restrict incoming
connections in some applications and permit them in others.
I have tried to do it with the Security Manager (SocketPermission), but it
doesn't restrict all incoming connections. And also I have tried with
RemoteAddrValve and RemoteHostValve (<Context>) but it restricts all
connections, not only the incoming ones. I have been searching other way to
do that but I couldn't find anything.
Is it possible? Could anybody help me?
Thank you very much.
Analía
Re: Restrict incoming connections per Application Tomcat 6.0.37
Posted by ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es>.
Gracias Martin, probaré si lo que me dices me sirve.
Thank you very much André, now I have understood the problem much better.
Thank you for your explanation.
Analía.
2013/12/16 André Warnier <aw...@ice-sa.com>
> ANALIA DE PEDRO SANTAMARIA wrote:
>
>> I'm going to try to explain myself better.
>>
>
> I believe that we understand what you seem to want to do, but that there
> are some intrinsic problems with the way in which you are looking at this.
>
>
>
>> What I'm trying to do is create a permission system in Tomcat. This
>> permission system must allow or avoid the next connections:
>> - Receive from IP. The application with this permission only can accept
>> connections (or receive information) from an IP. It can't send anything or
>> connect to anywhere.
>> - Receive All. The application with this permission can accept connections
>> (or receive information) from any IP. It can't send anything or connect to
>> anywhere.
>> - Send and Receive IP. The application with this permission can accept
>> connection and connect to an IP.
>> - Send to IP. The application with this permission only can connect or
>> send information to an IP. It can't receive information or accept
>> connections from anywhere.
>> - Send to All. The application with this permission can connect or send
>> information to any IP. It can't receive information or accept connections
>> from anywhere.
>>
>>
> "Accepting connections from" and "processing HTTP requests from" are two
> essentially different things, and happen at different levels/moments in
> time.
> "Connecting to" and "sending information to" is a third different and
> independent thing.
>
> Roughly :
> - a TCP connection is "accepted" at the Tomcat/Connector level, long
> before anything starts reading on that connection to receive the actuall
> HTTP request.
> - then the HTTP request is read, and it is determined which application
> (if any) should process that request
> - and it is only after the above, that an application would (or would not)
> process the request
>
> In other words, if you really want to "block connections" (or allow them)
> from selected IP's, then this is something that happens before the target
> application is even known, and it cannot be specific per application.
>
> On the other hand, when the connection has been accepted and the request
> has been read and the target application has been selected, it is possible
> at the level of the selected application, to check the source IP, and
> reject (or accept) the request.
> (But at this stage, not the connection anymore, it's too late for that).
>
> The second part concerns what the application can do, once it is running
> to process a request.
>
> Tomcat has basically no knowledge of any incoming or outgoing connection
> that the application itself may be setting up with any "third party".
> Tomcat itself is not involved in such connections, and it has no way to
> interfere with them.
> That is the domain of the JVM which runs the application code, and it is
> at that level that you can allow/disable such connections.
>
>
>
>> With the SocketPermission, I can avoid that one application connects to
>> an
>> specific IP or any IP (not granting SocketPermission "connect"). But if I
>> try to avoid that one IP connects to the application (not granting
>> SocketPermission "accept"), it doesn't restrict all connections. For
>> example, I can connect to the application from a browser in another host.
>> (I'm using the Security Manager in a correct way because it works with
>> others permissions).
>>
>> If I add <Valve className="org.apache.catalina.valves.RemoteHostValve"
>> allow="localhost"/> to the context.xml, I can restrict the previous
>> example, but with this I restrict all connections, so it doesn't allow me
>> to do what I want.
>>
>> If I combine the SocketPermission with the RemoteHostValve I can grant the
>> first three permissions (or connections) in my list above. But I need to
>> restrict the incoming connections (accept connections) to grant the last
>> two.
>>
>>
> Yes, and it is all perfectly logical that it would be that way, because of
> where and when things happen.
>
> What I am trying to say, is that it is your requirements that do not fit
> the reality of how things work. You are trying to combine, under one
> artificial "permission name", things which are difficult to combine because
> they happen at different levels and have different scopes.
>
> For example, if you do not grant to an application the SocketPermission
> "accept", it means that this application cannot open it's *own* listening
> socket and accept connections on it. But this concerns listening sockets
> that your application would want to open on its own, and it is totally
> distinct from (and has nothing to do with) the listening socket on which
> Tomcat accepts HTTP requests (for this application and others).
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Restrict incoming connections per Application Tomcat 6.0.37
Posted by André Warnier <aw...@ice-sa.com>.
ANALIA DE PEDRO SANTAMARIA wrote:
> I'm going to try to explain myself better.
I believe that we understand what you seem to want to do, but that there are some
intrinsic problems with the way in which you are looking at this.
>
> What I'm trying to do is create a permission system in Tomcat. This
> permission system must allow or avoid the next connections:
> - Receive from IP. The application with this permission only can accept
> connections (or receive information) from an IP. It can't send anything or
> connect to anywhere.
> - Receive All. The application with this permission can accept connections
> (or receive information) from any IP. It can't send anything or connect to
> anywhere.
> - Send and Receive IP. The application with this permission can accept
> connection and connect to an IP.
> - Send to IP. The application with this permission only can connect or
> send information to an IP. It can't receive information or accept
> connections from anywhere.
> - Send to All. The application with this permission can connect or send
> information to any IP. It can't receive information or accept connections
> from anywhere.
>
"Accepting connections from" and "processing HTTP requests from" are two essentially
different things, and happen at different levels/moments in time.
"Connecting to" and "sending information to" is a third different and independent thing.
Roughly :
- a TCP connection is "accepted" at the Tomcat/Connector level, long before anything
starts reading on that connection to receive the actuall HTTP request.
- then the HTTP request is read, and it is determined which application (if any) should
process that request
- and it is only after the above, that an application would (or would not) process the request
In other words, if you really want to "block connections" (or allow them) from selected
IP's, then this is something that happens before the target application is even known, and
it cannot be specific per application.
On the other hand, when the connection has been accepted and the request has been read and
the target application has been selected, it is possible at the level of the selected
application, to check the source IP, and reject (or accept) the request.
(But at this stage, not the connection anymore, it's too late for that).
The second part concerns what the application can do, once it is running to process a request.
Tomcat has basically no knowledge of any incoming or outgoing connection that the
application itself may be setting up with any "third party". Tomcat itself is not involved
in such connections, and it has no way to interfere with them.
That is the domain of the JVM which runs the application code, and it is at that level
that you can allow/disable such connections.
>
> With the SocketPermission, I can avoid that one application connects to an
> specific IP or any IP (not granting SocketPermission "connect"). But if I
> try to avoid that one IP connects to the application (not granting
> SocketPermission "accept"), it doesn't restrict all connections. For
> example, I can connect to the application from a browser in another host.
> (I'm using the Security Manager in a correct way because it works with
> others permissions).
>
> If I add <Valve className="org.apache.catalina.valves.RemoteHostValve"
> allow="localhost"/> to the context.xml, I can restrict the previous
> example, but with this I restrict all connections, so it doesn't allow me
> to do what I want.
>
> If I combine the SocketPermission with the RemoteHostValve I can grant the
> first three permissions (or connections) in my list above. But I need to
> restrict the incoming connections (accept connections) to grant the last
> two.
>
Yes, and it is all perfectly logical that it would be that way, because of where and when
things happen.
What I am trying to say, is that it is your requirements that do not fit the reality of
how things work. You are trying to combine, under one artificial "permission name",
things which are difficult to combine because they happen at different levels and have
different scopes.
For example, if you do not grant to an application the SocketPermission "accept", it means
that this application cannot open it's *own* listening socket and accept connections on
it. But this concerns listening sockets that your application would want to open on its
own, and it is totally distinct from (and has nothing to do with) the listening socket on
which Tomcat accepts HTTP requests (for this application and others).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Restrict incoming connections per Application Tomcat 6.0.37
Posted by ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es>.
I'm going to try to explain myself better.
What I'm trying to do is create a permission system in Tomcat. This
permission system must allow or avoid the next connections:
- Receive from IP. The application with this permission only can accept
connections (or receive information) from an IP. It can't send anything or
connect to anywhere.
- Receive All. The application with this permission can accept connections
(or receive information) from any IP. It can't send anything or connect to
anywhere.
- Send and Receive IP. The application with this permission can accept
connection and connect to an IP.
- Send to IP. The application with this permission only can connect or
send information to an IP. It can't receive information or accept
connections from anywhere.
- Send to All. The application with this permission can connect or send
information to any IP. It can't receive information or accept connections
from anywhere.
With the SocketPermission, I can avoid that one application connects to an
specific IP or any IP (not granting SocketPermission "connect"). But if I
try to avoid that one IP connects to the application (not granting
SocketPermission "accept"), it doesn't restrict all connections. For
example, I can connect to the application from a browser in another host.
(I'm using the Security Manager in a correct way because it works with
others permissions).
If I add <Valve className="org.apache.catalina.valves.RemoteHostValve"
allow="localhost"/> to the context.xml, I can restrict the previous
example, but with this I restrict all connections, so it doesn't allow me
to do what I want.
If I combine the SocketPermission with the RemoteHostValve I can grant the
first three permissions (or connections) in my list above. But I need to
restrict the incoming connections (accept connections) to grant the last
two.
Any idea?
Thank you very much!
Analía
2013/12/14 Christopher Schultz <ch...@christopherschultz.net>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Analía,
>
> On 12/14/13, 1:27 PM, ANALIA DE PEDRO SANTAMARIA wrote:
> > I'm developing a permission system in Tomcat and I would like to
> > restrict incoming connections per application. I mean, I want to
> > restrict incoming connections in some applications and permit them
> > in others.
>
> So you want one application to disallow all connections, but others
> can receive incoming requests? Why not just un-deploy the application
> you don't want to be accessible?
>
> > I have tried to do it with the Security Manager (SocketPermission),
> > but it doesn't restrict all incoming connections.
>
> Really? You must have done it incorrectly, because disabling
> SocketPermission should have prevented Tomcat from binding to the port
> in the first place. No connection would be possible at all. Note that
> you need to enable a SecurityManager in order to use SockerPermission,
> and that Tomcat's default security configuration is to allow the
> appropriate SocketPermissions, so you'd have to seriously damage your
> Tomcat installation in order to do that. I don't recommend it.
>
> > And also I have tried with RemoteAddrValve and RemoteHostValve
> > (<Context>) but it restricts all connections, not only the
> > incoming ones.
>
> What other kinds of connections are there, other than incoming ones?
>
> > I have been searching other way to do that but I couldn't find
> > anything.
>
> You haven't really described what you want to accomplish. "Restrict
> incoming connections per application" could mean a range of things. Do
> you want to prohibit certain connections (e.g. non-localhost),
> throttle connection rates, or require authentication for certain
> applications?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.15 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSrMB1AAoJEBzwKT+lPKRY8qUQAMt/05HhUrsM85yftbothYpP
> +ldnboUFOvvbwQ2zgd8N0Cv2WAcdNtHmvPoM/0gPC3zdvK0YClN1ojsKyGi6N7P4
> eua18+A8z926xIDfx9OseQkiLlnHuK7JTcJHDeDCPQFYuV+qyTksHUWOrzXBNeXv
> munO0myFGafTwXHInx2Jx/nKpjQncn6Tt6yFftbDdIpA65dwd4TfmmVh2IHzIEfL
> IPRVy9E1AB++HeH7MUhfptqONlmZ8iRC5+sauQCd9W/BjK+D9K+6AWi/TLl2N1Ek
> GlphJesttrtbkaoGzUw69ow5mxYZCAdHjRBgHK+doh3IoWfoDdPlpIP0nLWcv+dA
> PRbXzcpazzV7F9FsekpGJM1sC1fKnPG/C6t3WC1Lb3LHYo5TBPRRA2xUUig7LRk5
> g4lCL8h9dVBHwJtKLrmD5+z1wWLgs6J5Bty2lTZU05+zPQ54XNzk4O/He39UJmTn
> ACWi3xqr51Tx9E8oD9t3BlcjUxzbskFk3FhozVLG+zOSjxJVzspB3+8n7kZzciW5
> 0VTCFkX9/AGEW7TdYDp4MusSYYfZNkZuxN2/XQo5TnwPJjrvaW0dz56cMURWFaKO
> PTGgcXg1yLU4Qb4P6EdOxLcLv6dC3mF37X7fO5VGMOvg8rcPvbR8blF+zgmFimcT
> kiAUjXjwF8VrUPc8EFft
> =/585
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Restrict incoming connections per Application Tomcat 6.0.37
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Analía,
On 12/14/13, 1:27 PM, ANALIA DE PEDRO SANTAMARIA wrote:
> I'm developing a permission system in Tomcat and I would like to
> restrict incoming connections per application. I mean, I want to
> restrict incoming connections in some applications and permit them
> in others.
So you want one application to disallow all connections, but others
can receive incoming requests? Why not just un-deploy the application
you don't want to be accessible?
> I have tried to do it with the Security Manager (SocketPermission),
> but it doesn't restrict all incoming connections.
Really? You must have done it incorrectly, because disabling
SocketPermission should have prevented Tomcat from binding to the port
in the first place. No connection would be possible at all. Note that
you need to enable a SecurityManager in order to use SockerPermission,
and that Tomcat's default security configuration is to allow the
appropriate SocketPermissions, so you'd have to seriously damage your
Tomcat installation in order to do that. I don't recommend it.
> And also I have tried with RemoteAddrValve and RemoteHostValve
> (<Context>) but it restricts all connections, not only the
> incoming ones.
What other kinds of connections are there, other than incoming ones?
> I have been searching other way to do that but I couldn't find
> anything.
You haven't really described what you want to accomplish. "Restrict
incoming connections per application" could mean a range of things. Do
you want to prohibit certain connections (e.g. non-localhost),
throttle connection rates, or require authentication for certain
applications?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSrMB1AAoJEBzwKT+lPKRY8qUQAMt/05HhUrsM85yftbothYpP
+ldnboUFOvvbwQ2zgd8N0Cv2WAcdNtHmvPoM/0gPC3zdvK0YClN1ojsKyGi6N7P4
eua18+A8z926xIDfx9OseQkiLlnHuK7JTcJHDeDCPQFYuV+qyTksHUWOrzXBNeXv
munO0myFGafTwXHInx2Jx/nKpjQncn6Tt6yFftbDdIpA65dwd4TfmmVh2IHzIEfL
IPRVy9E1AB++HeH7MUhfptqONlmZ8iRC5+sauQCd9W/BjK+D9K+6AWi/TLl2N1Ek
GlphJesttrtbkaoGzUw69ow5mxYZCAdHjRBgHK+doh3IoWfoDdPlpIP0nLWcv+dA
PRbXzcpazzV7F9FsekpGJM1sC1fKnPG/C6t3WC1Lb3LHYo5TBPRRA2xUUig7LRk5
g4lCL8h9dVBHwJtKLrmD5+z1wWLgs6J5Bty2lTZU05+zPQ54XNzk4O/He39UJmTn
ACWi3xqr51Tx9E8oD9t3BlcjUxzbskFk3FhozVLG+zOSjxJVzspB3+8n7kZzciW5
0VTCFkX9/AGEW7TdYDp4MusSYYfZNkZuxN2/XQo5TnwPJjrvaW0dz56cMURWFaKO
PTGgcXg1yLU4Qb4P6EdOxLcLv6dC3mF37X7fO5VGMOvg8rcPvbR8blF+zgmFimcT
kiAUjXjwF8VrUPc8EFft
=/585
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org