Pfthb

Please do not close this question as answered, because all links I found like this and they are about how to block single static URL, but not a dynamic.

I have a Tomcat 7 and I have an application something like http://server/myapp/.
I need to restrict some pages inside this application for some IPs. for example, everything should work fine for all IPs, except these 2 pages

http://server/myapp/admin/appversion/index.jsp
http://server/myapp/admin/appversion/app_parameters.jsp

for static URL's it works perfectly if I add the filter to server's web.xml (...apache-tomcat-7confweb.xml) like this

<filter>
 <filter-name>IPFilter</filter-name>
 <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
 <init-param>
 <param-name>allow</param-name>
 <param-value>127.d+.d+.d+</param-value>
 </init-param>
</filter>
<filter-mapping>
 <filter-name>IPFilter</filter-name>
 <url-pattern>/admin/appversion/index.jsp</url-pattern>
 <url-pattern>/admin/appversion/app_parameters.jsp</url-pattern>
</filter-mapping>

The problem comes when I need to do dynamic (or regexp) filtering. For example, every time I have a new version of application this part of URL (appversion) changes.

/admin/appversion/app_parameters.jsp

real url today looks like this /admin/1.0/app_parameters.jsp in 1 month it will be /admin/1.1/app_parameters.jsp etc. and I do not want to change it every time when I have an update. Also it might be different for dev, test and production environment and I do not want to support 3 different configurations and change for every update.

If I try to do it like this

<url-pattern>/admin/*/app_parameters.jsp</url-pattern>

then it does not work. and if I read tomcat official documentation there is no explanation how this works. There are some examples like /*, but it works only for every page.

My question:
Is there any way how to configure tomcat in a standard way and restrict some pages dynamically? One of the solutions can be to find full syntax of url-pattern and check if proper regexp is supported. Maybe using subfilters/nested filters etc. Or there is only one solution to create my custom java filter based on org.apache.catalina.filters.RemoteAddrFilter where I can apply proper regular expression to the URL?

P.S. one might think why I have admin pages inside the main application and I just should modify my app and move it to another app, but the problem is, that this application is a standard application from some vendor. I did not create this application by myself. If I change this application by my self, I will lose a support for it and I already checked, it is not easy to move this 2 pages. These 2 pages have a lot of dependencies from other parts of the application. Of course, I will create a ticket for this vendor separately, but it will be good to get an independent solution (Plan B) in case vendor cannot provide something.

UPDATE 1

I have checked tomcat source codes and looks like only 4 patterns are supported in element. This is the code from org.apache.catalina.core.ApplicationFilterFactory

private boolean matchFiltersURL(String testPath, String requestPath) 
 if (testPath == null) 
 return false;
 
 if (testPath.equals(requestPath)) 
 return true;
 

 if (testPath.equals("/*"))
 return true;
 if (testPath.endsWith("/*")) 
 if (testPath.regionMatches(0, requestPath, 0, testPath.length() - 2)) 
 if (requestPath.length() == testPath.length() - 2)
 return true;
 if ('/' == requestPath.charAt(testPath.length() - 2)) 
 return true;
 
 
 return false;
 

 if (testPath.startsWith("*.")) 
 int slash = requestPath.lastIndexOf('/');
 int period = requestPath.lastIndexOf('.');
 if ((slash >= 0) && (period > slash) && (period != requestPath.length() - 1) && (requestPath.length() - period == testPath.length() - 1)) 

 return testPath.regionMatches(2, requestPath, period + 1, testPath.length() - 2);
 
 

 return false;

briefly what is supported

 1. exact URL match
 2. <url-pattern>/*</url-pattern> means match for all URLs.
 3. <url-pattern>/some/path/*</url-pattern> means match for all URLs starting with "/some/path". It support /* only at the end of the URL.
 4. <url-pattern>*.ext</url-pattern> means match for any path but with specific extension.
 5. All others are not supported (examples what is not supported: /fld1/*/fld2, /fld1/*.jsp, etc

some examples which can help to understand it

matchFiltersURL("", "/fld1/fld2/mypage.jsp")
 (boolean) false

matchFiltersURL("*", "/fld1/fld2/mypage.jsp")
 (boolean) false

matchFiltersURL("/*", "/fld1/fld2/mypage.jsp")
 (boolean) true

matchFiltersURL("/fld1/*", "/fld1/fld2/mypage.jsp")
 (boolean) true

matchFiltersURL("/fld1*", "/fld1/fld2/mypage.jsp")
 (boolean) false

matchFiltersURL("/fld1/fld2/*", "/fld1/fld2/mypage.jsp")
 (boolean) true

matchFiltersURL("/fld1/*/mypage.jsp", "/fld1/fld2/mypage.jsp")
 (boolean) false

matchFiltersURL("*./fld1/fld2/mypage.jsp", "/fld1/fld2/mypage.jsp")
 (boolean) false

matchFiltersURL("*./fld1/fld2/mypagejs", "./fld1/fld2/mypagejsp")

matchFiltersURL("*.jsp", "/.jsp");
 (boolean) true

matchFiltersURL("*.xxxx", "/.xxxx");
 (boolean) true

matchFiltersURL("*./fld1/xxxx", "/fld1/.xxxx");
 (boolean) false

matchFiltersURL("*./fld1/.xxxx", "/fld1/.xxxx");
 (boolean) false

matchFiltersURL("/fld1/fld2/*.jsp", "/fld1/fld2/mypage.jsp")
 (boolean) false

matchFiltersURL("*./fld1/fld2/*", "/fld1/fld2/mypage.jsp")
 (boolean) false

As result of this, it is clearly not possible to use for dynamic filtering. The only possibility I can see now is a custom filter or nested filters.