How to block part of application based on ip filtering

[Meir Yanovich <me...@gmail.com>]

Hello all
im using tomcat as the web server , and i have reverse proxy that
redirect to the tomcat
i like to be able to restrict the users that redirected from the
reverse proxy server to be able to
enter only one section of the application .
now i was reading the configuration and i found only the possibility
to allow / deny based on ip with :
org.apache.catalina.valves.RemoteAddrValve , but how can i allow from
ip x to enter only section Y of the application .
thanks

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to block part of application based on ip filtering

[Johnny Kewl <jo...@kewlstuff.co.za>]

----- Original Message ----- 
From: "Meir Yanovich" <me...@gmail.com>
To: <us...@tomcat.apache.org>
Sent: Sunday, August 24, 2008 1:38 PM
Subject: How to block part of application based on ip filtering


> Hello all
> im using tomcat as the web server , and i have reverse proxy that
> redirect to the tomcat
> i like to be able to restrict the users that redirected from the
> reverse proxy server to be able to
> enter only one section of the application .
> now i was reading the configuration and i found only the possibility
> to allow / deny based on ip with :
> org.apache.catalina.valves.RemoteAddrValve , but how can i allow from
> ip x to enter only section Y of the application .
> thanks

Meir... I'm not sure TC can help you...
I think this because the whole idea of a reverse proxy is that it invisible 
to TC... I think.
ie Apache is going to make headers and all the rest look like they from a 
normal browser... I think

Have a look at this
http://www.mail-archive.com/users@tomcat.apache.org/msg46654.html
May give you some idea's... that clever guy used apache to restrict access 
using apaches rewrites...
Maybe you could do something like make apache add a special header... and 
then TC would know its from the proxy.
There maybe someheader i'm unaware of... but idea is if you can detect a 
special header, then TC can reject from the servlet or ip filter...

ie either do all the logic in Apache or... make apache identify that it 
handled it, then do it in TC...

... guessing here... I try something like this
Then normal requests to TC go everywhere... Apache is a half blocked 
gateway... maybe ;)
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
--------------------------------------------------------------------------- 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to block part of application based on ip filtering

[Tommy Pham <to...@yahoo.com>]

--- On Sun, 8/24/08, Meir Yanovich <me...@gmail.com> wrote:

> From: Meir Yanovich <me...@gmail.com>
> Subject: How to block part of application based on ip filtering
> To: users@tomcat.apache.org
> Date: Sunday, August 24, 2008, 7:38 AM
> Hello all
> im using tomcat as the web server , and i have reverse
> proxy that
> redirect to the tomcat
> i like to be able to restrict the users that redirected
> from the
> reverse proxy server to be able to
> enter only one section of the application .
> now i was reading the configuration and i found only the
> possibility
> to allow / deny based on ip with :
> org.apache.catalina.valves.RemoteAddrValve , but how can i
> allow from
> ip x to enter only section Y of the application .
> thanks
> 

Hi Meir,

I think the only possible approach is within the application itself since you want to limit access to certain portions of the application.  You can use the request.getRemoteAddr() of the HttpServletRequest.  If you store the information (URL & IP) in the database, you can change it dynamically as you need to :).  Also, you can log for repeated attempts of hacking ;)

Regards,
Tommy

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org