Tomcat Access Control based on IP

To implement IP filtering Tomcat offers the RemoteAddrValve class for filtering on IP and the RemoteHostValve for filtering on host name.

A. The Context Container Introduction (Important)

B. Remote Address Filter

  1. Introduction

    The Remote Address Filter allows you to compare the IP address of the client that submitted this request against one or more regular expressions, and either allow the request to continue or refuse to process the request from this client. A Remote Address Filter can be associated with any Catalina container (Engine, Host, or Context), and must accept any request presented to this container for processing before it will be passed on.

    The syntax for regular expressions is different than that for 'standard' wildcard matching. Tomcat uses the java.util.regex package. Please consult the Java documentation for details of the expressions supported.

    Note: There is a caveat when using this valve with IPv6 addresses. Format of the IP address that this valve is processing depends on the API that was used to obtain it. If the address was obtained from Java socket using Inet6Address class, its format will be x:x:x:x:x:x:x:x. That is, the IP address for localhost will be 0:0:0:0:0:0:0:1 instead of the more widely used ::1. Consult your access logs for the actual value.

  2. Attributes

    The Remote Address Filter supports the following configuration attributes:

    Attribute Description
    className Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteAddrValve.
    allow A regular expression (using java.util.regex) that the remote client's IP address is compared to. If this attribute is specified, the remote address MUST match for this request to be accepted. If this attribute is not specified, all requests will be accepted UNLESS the remote address matches a deny pattern.
    deny A regular expression (using java.util.regex) that the remote client's IP address is compared to. If this attribute is specified, the remote address MUST NOT match for this request to be accepted. If this attribute is not specified, request acceptance is governed solely by the accept attribute.
    denyStatus HTTP response status code that is used when rejecting denied request. The default value is 403. For example, it can be set to the value 404.

  3. Example

    To allow access only for the clients connecting from localhost:

    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
           allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
    

C. Remote Host Filter

  1. Introduction

    The Remote Host Filter allows you to compare the hostname of the client that submitted this request against one or more regular expressions, and either allow the request to continue or refuse to process the request from this client. A Remote Host Filter can be associated with any Catalina container (Engine, Host, or Context), and must accept any request presented to this container for processing before it will be passed on.

    The syntax for regular expressions is different than that for 'standard' wildcard matching. Tomcat uses the java.util.regex package. Please consult the Java documentation for details of the expressions supported.

    Note: This filter processes the value returned by method ServletRequest.getRemoteHost(). To allow the method to return proper host names, you have to enable "DNS lookups" feature on a Connector.

  2. Attributes

    The Remote Host Filter supports the following configuration attributes:

    Attribute Description
    className Java class name of the implementation to use. This MUST be set to org.apache.catalina.valves.RemoteHostValve.
    allow A regular expression (using java.util.regex) that the remote client's hostname is compared to. If this attribute is specified, the remote hostname MUST match for this request to be accepted. If this attribute is not specified, all requests will be accepted UNLESS the remote hostname matches a deny pattern.
    deny A regular expression (using java.util.regex) that the remote client's hostname is compared to. If this attribute is specified, the remote hostname MUST NOT match for this request to be accepted. If this attribute is not specified, request acceptance is governed solely by the accept attribute.
    denyStatus HTTP response status code that is used when rejecting denied request. The default value is 403. For example, it can be set to the value 404.

Comments

Popular posts from this blog

Reduce TIME_WAIT Socket Connections