LimitAccessToCertainClients

When securing HTTP traffic, you may wish to consider limiting access to clients with a certain IP address.  You can do this at many levels.

 

 

Limiting client access using Tomcat (Engine, Host, or Context level)

To limit client access at a high level, such as the entire server, you may use a Tomcat valve.

 

Tomcat has two valves that filter traffic based on the client IP addresses. They are the RemoteAddrValve and the RemoteHostValve. Both of these valves are extended from RequestFilterValve.

 

For a discussion of how to configure Tomcat valves see http://tomcat.apache.org/tomcat-5.5-doc/config/host.html (Tomcat 5.5) or http://tomcat.apache.org/tomcat-6.0-doc/config/host.html (Tomcat 6.0).

 

Note: The documentation on using these valves when Tomcat is embedded in JBoss is confusing, but it is simple to do. Although Tomcat scans various directories for context.xml.default and context.xml for defaults, to set a valve on a single Tomcat /context you need WEB-INF/context.xml in the application's WAR.

 

An example of context.xml that allows accesses from 127.0.0.x and 10.x.x.x:

 

<?xml version="1.0"?>
<Context debug="1" privileged="true" >

     <Valve className="org.apache.catalina.valves.RemoteAddrValve"
          allow="127\.0\.0\.\d{1,3},10\.\d{1,3}\.\d{1,3}\.\d{1,3}"
          deny="" />

</Context>

 

 

For more discussions on context.xml, see Web-App Context Configuration.

 

 

No editing of the Tomcat server.xml is required unless you're applying valves to Hosts. In the latter, edit either server.xml or jboss-service.xml based on JBoss version:

 

JBoss versionsserver.xml or jboss-service.xml
4.2.0 and higher<jboss install dir>/server/<configuration>/deploy/jboss-web.deployer/server.xml
3.2.4 and 4.0.x<jboss install dir>/server/<configuration>/deploy/jbossweb-tomcat50.sar/server.xml
3.2.3 and lower<jboss install dir>/server/<configuration>/deploy/jbossweb-tomcat41.sar/META-INF/jboss-server.xml

 

 

 

 

Limiting client access using a servlet filter (Servlet or url-pattern level)

To limit client access to a particular servlet or to requests that match a url pattern, you can use the servlet filter attached to this page.  This requires JDK 1.4 or higher.

 

To install, place the attached jar in your WEB-INF/lib directory. If you want to use it in multiple web applications then you can instead put it in your

 

The attached web.xml file is an example that shows how to configure the filter.  The main thing to look at is the filter definition:

  <filter>
     <filter-name>RemoteHostFilter</filter-name>
     <filter-class>org.jboss.remotehostfilter.RemoteHostFilter</filter-class>
     <init-param>        
        <param-name>deny</param-name>
        <param-value>150.0.0.*</param-value>
     </init-param>
     <init-param>        
        <param-name>allow</param-name>
        <param-value>192.4.5.6,127.0.0.*</param-value>
     </init-param>
  </filter>

 

This filter is configured by setting the "allow" and/or "deny" properties to a comma-delimited list of regular expressions(in the syntax supported by the java.util.regex package) to which the client IP address will be compared.

 

Evaluation proceeds as follows:

 

  • If there are any deny expressions configured, the IP will be compared to each expression. If a match is found, this request will be rejected with a "Forbidden" HTTP response.

  • If there are any allow expressions configured, the IP will be compared to each such expression. If a match is NOT found, this request will be rejected with a "Forbidden" HTTP response.

  • Otherwise, the request will continue normally.

 

Don't forget to add an appropriate "filter-mapping" element, or this filter will never be applied.