i want to secure a personel tomcat in following way.
Basically everyone (every ip) should be able to access the webapps of this tomcat.
But some of the ip should able to access the tomcat without authentification (most of them) and some (e.g. 10.0.0.*) should only be able to access this tomcat via an authentification.
I've read much about how to solve this problem. The Tomcat Remote Access Filter and Remote Host Name isn't working in my case, cause i don't want to deny/allow the webapp for some IP Adresses.
I've tried to add these lines to context.xml with expectation, that i (localhost) can access the tomcat without authentification, but the authentification was still required:
<Context antiJARLocking="true" path="/">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" invalidAuthenticationWhenDeny="true" allow="127\.0\.0\.1"/>
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" />
So im at the end of my knowlegde (maybe i dont have much :D).
Can someone give me an example or a solution to my issue? Maybe i have to edit more than this file? Or did i missinterpreted something?
Thanks!
There are two ways of using authentication in tomcat.
1. if you want that each web app is not access by every user you can implement "Realm Configuration" . with this configuration , every time when user access the deployed web app in tomcat ,
it will ask user name and password.
for more details please refer below link:
https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html
Another scenario is if you want that specific ip user able to access tomcat the via Remote filter you can achieve this.
for more details Refer below link:
https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Host_Filter
As you told "The Tomcat Remote Access Filter and Remote Host Name isn't working in my case, cause i don't want to deny/allow the webapp for some IP Adresses."
In that case you can implement "Realm configuration" if you don't want to bind the web app for IPs. That's why you can try to use realm configuration with user name and password.
If you still want to use remote filter then share your procedure which you are following for understanding where you are getting failed.
Related
I have an web application (Java-html5/js) which runs on our servers that is accessed simply by its URL, no login options or checks. I have been asked to secure it, but I have no access to its source code and I have not managed to contact the developer behind it. It is widely being used on the company, so there is no option to shut it down. The other applications on the network require authentication, so I can use those credentials for this app as well, by redirecting him from a another page. But once he logins, how can I stop him from just accessing the actual unsecured url?
If you're unable to change anything on this server, you may do the following:
Install a proxy server with authentication on another machine - if there's not already one in the company
restrict access to the app server to this proxy's IP address by putting it behind a firewall or changing routing rules
You need to go through the proxy to access and you need to authenticate. Way complicated but should work
My question is upper) I'm building Client-Server app on java and want to try implement OAuth2.0 authentication. Yet there is a problem - I haven't static IP address. Could I implement it whith such services like Google or Facebook when my app is on localhost?
First off, some of the OAuth providers won't even accept IP addresses, so even if you have a static IP it won't work.
You can try to use localhost, but that is not always possible or desirable, for instance when you want to test over a local network.
There is another way to get around this. What you can do is:
Pick a domain name which will never exist. For example: random.rubbish
Setup your OAuth apps with this domain name, i.e. register with Facebook and Google using http://random.rubbish/ as your domain and you can add a path if you want. This is only an example, you can change http and random.rubbish to whatever you need.
Now on your local system, you can edit the HOSTS file and put an entry for random.rubbish as follows: random.rubbish 127.0.0.1
Now in your browser when you go to http://random.rubbish, it will take you to localhost (port 80 because of http). This is because the first check the system performs to resolve a domain name is the HOSTS file.
If you want to test over a local network, you can add this entry to your DHCP server, or you can edit the HOSTS file on every machine where you will be accessing the server.
Is there a way to restrict/allow access to a specific file on Tomcat only to certain IPs? If there is no direct way to do this, what would be a good workaround?
I'd really appreciate your help.
Use a filter and get the ip from the request. However in case the request comes from behind a firewall, you'll get the firewall's ip.
There is a way to do so with Tomcat ;)
Code:
<Context path="/here is youre path to the files">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="here u put the IP addresses you want to allow" deny="here u put the IP addresses you want to deny"/>
</Context>
I highly recommend you to read the Tomcat Tips which have been published by O´reilly. Can be found here.
Number 10 on there Site is about your Question
EDIT: This has to be pasted to your Server.xml
EDIT1: OTHER Way can be found here Tomcat Valve settings
There are various ways to do it, depending on exactly what you want to do. For example:
Remote IP Valves.
Remote Address Filters
Remote Host Filters
Or if you wanted something fine-grained (e.g. pattern matching on the path part of the request URL) then you could implement your own Filter class.
I have two windows domains A and B.
I have two servers: nasB on domain B, and webserverA on domain A.
I have two users: userB on domain B and access to nasB and userA on domain A with access to webserverA
I am running tomcat as a service on webserverA and it has the logon as property set to userA.
I have \\nasB\myFiles$\ mapped on webserverA using userB credentials. The mapping is only to allow the JVM access. I always access the drive using UNC in the code. I also have credentials in the manage network passwords. Both methods work when running any java app directly but not as a service :(
If I run tomcat as a service it throws a filenotfound except when trying to access \\nasB\myFiles$\somefile.txt. If I run tomcat using the startup.bat it can access the file fine.
I cannot run tomcat service using userB as he does not have access to webserverA. How do I let my tomcat service use the userB credentials when accessing nasB?
Don't try using mapped drives.
Given the fact users' configuration and mapped drives are available only if the user logins using interactive login, you won't be able to use such resources. Try with UNC paths and, if that doesn't work due to user restrictions, get a hand over jcifs library, it is quite handy in those cases because it allows you to authenticate when accesing the resource with the UNC path, so it reduces uncertainty about ability to read folders and files in network drives (also, configuring tomcat service to be ran as an administrative user, giving credentials that shouldn't expire,...).
I' ve faced this myself and this is just my personal view.
Create Windows user with username/password identical on both Windows servers.
Example userA/passA
Then run Tomcat Windows service with that user.
i have my java webapplication deployed on tomcat. I am able to access it with
https://localhost:8443/myWebAp
But i want access it with some domain name instead of localhost. For this i make an below entry in hosts file at C:/Windows/System32/drivers/etc/hosts
10.215.134.45 shopCart.myApp.com
Now i access my application with url
https://shopCart.myApp.com:8443/myWebAp
it says webpage can not be found. Though as soon as i enter my ip i.e 10.215.134.45 instead of shopCart.myApp.com it works fine. Another weird thing is if i give entry as
10.215.134.45 shopCart
and now acceess the app with
https://shopCart:8443/myWebAp
it works fine but as soon as i append some .(dot) with shopCart, looks like it browser is not able to resolve ip against shopCart.myApp.com. I am not getting whats the reason behind it?I also tried giving 127.0.0.1 instead of my ip against domain name but same result
This generally happens only if you are behind a proxy, and the browser is using your proxy to resolve the URL rather than using your hosts file/DNS. You should add *.myApp.com to the proxy exceptions list, to ensure that it resolves the IP address for the domain using your hosts file.