How to restrict access by IP address to specific path with Tomcat?
Dears,
Can anyone help on restricting the access to a specific path on the web application by IP address?
Currently I have applied RemoteAddrValve and it perfectly works for all web application directory. Actually I need to apply this only on specific path.
It is highly appreciated if someone can help on this.
<Context><WatchedResource>WEB-INF/web.xml</WatchedResource><Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="some IPs" denyStatus="404"/></Context>
tomcat ip-restrictions
edited Nov 11 at 11:07
Eugène Adell
1,8332618
asked Nov 11 at 5:17
Aqeel Hussain
1
add a comment |
Dears,
Can anyone help on restricting the access to a specific path on the web application by IP address?
Currently I have applied RemoteAddrValve and it perfectly works for all web application directory. Actually I need to apply this only on specific path.
It is highly appreciated if someone can help on this.
<Context><WatchedResource>WEB-INF/web.xml</WatchedResource><Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="some IPs" denyStatus="404"/></Context>
tomcat ip-restrictions
edited Nov 11 at 11:07
Eugène Adell
1,8332618
asked Nov 11 at 5:17
Aqeel Hussain
1
1
Possible duplicate of How to restrict access by IP address with Tomcat?
– Saeed Zhiany
Nov 11 at 5:21
add a comment |
Dears,
Can anyone help on restricting the access to a specific path on the web application by IP address?
Currently I have applied RemoteAddrValve and it perfectly works for all web application directory. Actually I need to apply this only on specific path.
It is highly appreciated if someone can help on this.
<Context><WatchedResource>WEB-INF/web.xml</WatchedResource><Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="some IPs" denyStatus="404"/></Context>
tomcat ip-restrictions
edited Nov 11 at 11:07
Eugène Adell
1,8332618
asked Nov 11 at 5:17
Aqeel Hussain
1
Dears,
Can anyone help on restricting the access to a specific path on the web application by IP address?
Currently I have applied RemoteAddrValve and it perfectly works for all web application directory. Actually I need to apply this only on specific path.
It is highly appreciated if someone can help on this.
<Context><WatchedResource>WEB-INF/web.xml</WatchedResource><Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="some IPs" denyStatus="404"/></Context>
tomcat ip-restrictions
tomcat ip-restrictions
edited Nov 11 at 11:07
Eugène Adell
1,8332618
asked Nov 11 at 5:17
Aqeel Hussain
1
edited Nov 11 at 11:07
Eugène Adell
1,8332618
asked Nov 11 at 5:17
Aqeel Hussain
1
edited Nov 11 at 11:07
Eugène Adell
1,8332618
edited Nov 11 at 11:07
Eugène Adell
1,8332618
edited Nov 11 at 11:07
Eugène Adell
1,8332618
1,8332618
asked Nov 11 at 5:17
Aqeel Hussain
1
asked Nov 11 at 5:17
Aqeel Hussain
1
asked Nov 11 at 5:17
Aqeel Hussain
1
1
1
Possible duplicate of How to restrict access by IP address with Tomcat?
– Saeed Zhiany
Nov 11 at 5:21
add a comment |
1
Possible duplicate of How to restrict access by IP address with Tomcat?
– Saeed Zhiany
Nov 11 at 5:21
1
1
Possible duplicate of How to restrict access by IP address with Tomcat?
– Saeed Zhiany
Nov 11 at 5:21
Possible duplicate of How to restrict access by IP address with Tomcat?
– Saeed Zhiany
Nov 11 at 5:21
add a comment |
1 Answer
1
active
oldest
votes
As you mentioned, the RemoteAddrValve is too broad for your need. The solution is to use the RewriteValve matching both conditions (IP + path) and for the rule, denying the traffic. Don't forget to read the Tomcat doc to learn more on rewrites.
First, add the adequate valve in your Host definition in server.xml :
<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
Supposing your host name is the default one (localhost), you need to create $CATALINA_BASE/conf/Catalina/localhost/rewrite.config file with this content :
RewriteCond %REMOTE_ADDR bad.ip.addr.ess
RewriteRule ^/forbidden-path(.*)$ / [F]
The F flag will send a 403 Forbidden HTTP code. You can change the rule as you want, for example to redirect to a login page (flag R).
If your website is exposed on Internet, don't forget that anyone could use a proxy to hide its real IP address. If you're using a reverse-proxy in front of your Apache, you might need to configure it adequately not to loose the user's real IP of your Tomcat could only see your reverse proxy IP.
answered Nov 11 at 11:33
Eugène Adell
1,8332618
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53246048%2fhow-to-restrict-access-by-ip-address-to-specific-path-with-tomcat%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
As you mentioned, the RemoteAddrValve is too broad for your need. The solution is to use the RewriteValve matching both conditions (IP + path) and for the rule, denying the traffic. Don't forget to read the Tomcat doc to learn more on rewrites.
First, add the adequate valve in your Host definition in server.xml :
<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
Supposing your host name is the default one (localhost), you need to create $CATALINA_BASE/conf/Catalina/localhost/rewrite.config file with this content :
RewriteCond %REMOTE_ADDR bad.ip.addr.ess
RewriteRule ^/forbidden-path(.*)$ / [F]
The F flag will send a 403 Forbidden HTTP code. You can change the rule as you want, for example to redirect to a login page (flag R).
If your website is exposed on Internet, don't forget that anyone could use a proxy to hide its real IP address. If you're using a reverse-proxy in front of your Apache, you might need to configure it adequately not to loose the user's real IP of your Tomcat could only see your reverse proxy IP.
answered Nov 11 at 11:33
Eugène Adell
1,8332618
add a comment |
As you mentioned, the RemoteAddrValve is too broad for your need. The solution is to use the RewriteValve matching both conditions (IP + path) and for the rule, denying the traffic. Don't forget to read the Tomcat doc to learn more on rewrites.
First, add the adequate valve in your Host definition in server.xml :
<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
Supposing your host name is the default one (localhost), you need to create $CATALINA_BASE/conf/Catalina/localhost/rewrite.config file with this content :
RewriteCond %REMOTE_ADDR bad.ip.addr.ess
RewriteRule ^/forbidden-path(.*)$ / [F]
The F flag will send a 403 Forbidden HTTP code. You can change the rule as you want, for example to redirect to a login page (flag R).
If your website is exposed on Internet, don't forget that anyone could use a proxy to hide its real IP address. If you're using a reverse-proxy in front of your Apache, you might need to configure it adequately not to loose the user's real IP of your Tomcat could only see your reverse proxy IP.
answered Nov 11 at 11:33
Eugène Adell
1,8332618
add a comment |
As you mentioned, the RemoteAddrValve is too broad for your need. The solution is to use the RewriteValve matching both conditions (IP + path) and for the rule, denying the traffic. Don't forget to read the Tomcat doc to learn more on rewrites.
First, add the adequate valve in your Host definition in server.xml :
<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
Supposing your host name is the default one (localhost), you need to create $CATALINA_BASE/conf/Catalina/localhost/rewrite.config file with this content :
RewriteCond %REMOTE_ADDR bad.ip.addr.ess
RewriteRule ^/forbidden-path(.*)$ / [F]
The F flag will send a 403 Forbidden HTTP code. You can change the rule as you want, for example to redirect to a login page (flag R).
If your website is exposed on Internet, don't forget that anyone could use a proxy to hide its real IP address. If you're using a reverse-proxy in front of your Apache, you might need to configure it adequately not to loose the user's real IP of your Tomcat could only see your reverse proxy IP.
answered Nov 11 at 11:33
Eugène Adell
1,8332618
As you mentioned, the RemoteAddrValve is too broad for your need. The solution is to use the RewriteValve matching both conditions (IP + path) and for the rule, denying the traffic. Don't forget to read the Tomcat doc to learn more on rewrites.
First, add the adequate valve in your Host definition in server.xml :
<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
Supposing your host name is the default one (localhost), you need to create $CATALINA_BASE/conf/Catalina/localhost/rewrite.config file with this content :
RewriteCond %REMOTE_ADDR bad.ip.addr.ess
RewriteRule ^/forbidden-path(.*)$ / [F]
The F flag will send a 403 Forbidden HTTP code. You can change the rule as you want, for example to redirect to a login page (flag R).
If your website is exposed on Internet, don't forget that anyone could use a proxy to hide its real IP address. If you're using a reverse-proxy in front of your Apache, you might need to configure it adequately not to loose the user's real IP of your Tomcat could only see your reverse proxy IP.
answered Nov 11 at 11:33
Eugène Adell
1,8332618
answered Nov 11 at 11:33
Eugène Adell
1,8332618
answered Nov 11 at 11:33
Eugène Adell
1,8332618
answered Nov 11 at 11:33
Eugène Adell
1,8332618
1,8332618
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53246048%2fhow-to-restrict-access-by-ip-address-to-specific-path-with-tomcat%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Possible duplicate of How to restrict access by IP address with Tomcat?
– Saeed Zhiany
Nov 11 at 5:21