You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jose Euclides da Silva Junior - DATAPREVRJ <Jo...@rj.previdenciasocial.gov.br> on 2003/04/17 00:16:02 UTC

RES: Restrict Access to Web App to clients with a specific IP add ress

I guess the best practice to this question is to make the operating system
take care about it,  So, the O.S should control of Users X Resource
policies, and the Web Server have access to them.
Euclides. 

-----Mensagem original-----
De: Gary Gwin [mailto:tomcat@cafesoft.com]
Enviada em: quarta-feira, 16 de abril de 2003 13:37
Para: Tomcat Users List
Assunto: Re: Restrict Access to Web App to clients with a specific IP
address


There is no way to do this with Tomcat (e.g., J2ee) declarative security 
(via the deployment descriptor). However, you can do it yourself with 
J2ee programmatic security using, for example, a filter to check for the 
IP address.

 From a security purist point of view there is "some" risk in only using 
an IP address to secure a resource, as an IP address can be spoofed. 
Your risk tolerance is a function of the threat of attack vs. the value 
of the protected resource. A combined authentication AND IP address 
access rule can greatly enhance security.

Gary

Varley, Roger wrote:
> Hi
> 
> I'm designing a web-app that is going to be accessed via standalone Tomcat
> solely by one of our customers. Is it possible, to restrict access to the
> web-app to a specific range of IP addresses from web.xml (or any other
means
> within Tomcat)? 
> 
> Regards
> Roger
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

-- 

Gary Gwin
http://www.cafesoft.com

*****************************************************************
*                                                               *
*   The Cafesoft Access Management System, Cams, is security    *
*   software that provides single sign-on authentication and    *
*   centralized access control for Apache, Tomcat, and custom   *
*   resources.                                                  *
*                                                               *
*****************************************************************


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org