Tomcat Valve settings

Question

I\'m stuck with sort of a configuration issue I think. I need to protect a folder which is within my actual tomcat application from access from a certain IP range.

I

Answer 1

Had the same need as you (but for other reasons) last week and created a valve to block requests by path. It's based off of org.apache.catalina.valves.RequestFilterValve.

Usage:

<Valve className="se.qbranch.tomcat.valve.BlockAccessByPathValve" path="/manager/.*" allow="127\.0\.0\.1"/>

The valve can be used in Engine, Host or Context just as any valve and is available on GitHub. http://github.com/xlson/tomcat-valves

I would suggest using the default tomcat valves or servlet filters in your application if that solves your problem. The reason we needed a custom valve was that some parts of the tomcat management application Psi-Probe would "leak out" even though we used the RemoteAddrValve in the <Context> element of the application.

Answer 2

You need to put it in the <Context> element which definies the webapplication in question.

For Tomcat it can be several places, under each the webapp-specific (and webapp-controlled) /META-INF/context.xml or the server-specific (and server-controlled) /conf/[enginename]/[hostname]/context.xml or the server-specific global /conf/context.xml or the host-specific /conf/server.xml. Also see the Tomcat Context documentation.

Answer 3

The Tomcat Valve can be applied to the whole Engine, the Host or a specific Context (webapp). You have to use it for you whole app, not specific path or directories.

You should set it in your META-INF/context.xml or your context fragment in conf/Catalina/[host] directory. For example,

<Context path="/myapp" ...>
  ...
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="10.1.2.*"/>
</Context>

Answer 4

It should go inside your <Context> element in server.xml:

<Context
    path="/tcadmin"
    docBase="${catalina.home}/server/webapps/admin"
    privileged="true"
>
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
        allow="127\.0\.0\.1"
    />
</Context>

Just remember, that the string values are regex patterns, so special regex characters ( e.g. dot(.) ) has to be escaped with backslashes.

EDIT: in reply to OP's comment. I think you need to implement a FILTER in your web app and configure it to accept or reject requests based on their remote address IP. Remote address can be retrieved from ServletRequest object passed into doFilter method.

You declare a filter in your web.xml file:

<filter>
  <filter-name>GatekeeperFilter</filter-name>
  <filter-class>your.package.GatekeeperFilter</filter-class>
  <init-param>
    <param-name>allowedNetwork</param-name>
    <param-value>192\.168\.2\.*</param-value>
  </init-param>
</filter>

<filter-mapping>
  <filter-name>GatekeeperFilter</filter-name>
  <url-pattern>/path/to/protected/folder</url-pattern>
</filter-mapping>

Read the linked article about what need to be done to accept init parameters. I think for your decision making you can shamelessly copy the code from the RequestDumperValve.