Is there a way to restrict/allow access to a specific file on Tomcat only to certain IPs? If there is no direct way to do this, what would be a good workaround?
I'd really appreciate your help.
Use a filter and get the ip from the request. However in case the request comes from behind a firewall, you'll get the firewall's ip.
There is a way to do so with Tomcat ;)
Code:
<Context path="/here is youre path to the files">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="here u put the IP addresses you want to allow" deny="here u put the IP addresses you want to deny"/>
</Context>
I highly recommend you to read the Tomcat Tips which have been published by O´reilly. Can be found here.
Number 10 on there Site is about your Question
EDIT: This has to be pasted to your Server.xml
EDIT1: OTHER Way can be found here Tomcat Valve settings
There are various ways to do it, depending on exactly what you want to do. For example:
Remote IP Valves.
Remote Address Filters
Remote Host Filters
Or if you wanted something fine-grained (e.g. pattern matching on the path part of the request URL) then you could implement your own Filter class.
Related
I have a website and now I want it to be able to work offline. I'm trying using service-worker to implement this function, but unfortunately, my website is written in multiple .jsp files. So when one jsp jumps to another jsp, the internet is required, as jsp is not able to be resolved in client browsers. Is there a way to solve this problem? Or do I need to rewrite all the jsp to one file?
Thanks in advance.
If your site is running on your own computer, configure it to accept requests on 127.0.0.1. Then you can use it when you are disconnected from the internet.
If the problem is that your JSPs link to each other via absolute URLs using your server's DNS name you could:
change the JSPs to use relative URLs, or
(hack!) temporarily tweak your DNS resolver to resolve the server DNS name to 127.0.0.1.
In general, it is not possible to convert a JSP to a static page, and still have it work properly.
i want to secure a personel tomcat in following way.
Basically everyone (every ip) should be able to access the webapps of this tomcat.
But some of the ip should able to access the tomcat without authentification (most of them) and some (e.g. 10.0.0.*) should only be able to access this tomcat via an authentification.
I've read much about how to solve this problem. The Tomcat Remote Access Filter and Remote Host Name isn't working in my case, cause i don't want to deny/allow the webapp for some IP Adresses.
I've tried to add these lines to context.xml with expectation, that i (localhost) can access the tomcat without authentification, but the authentification was still required:
<Context antiJARLocking="true" path="/">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" invalidAuthenticationWhenDeny="true" allow="127\.0\.0\.1"/>
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" />
So im at the end of my knowlegde (maybe i dont have much :D).
Can someone give me an example or a solution to my issue? Maybe i have to edit more than this file? Or did i missinterpreted something?
Thanks!
There are two ways of using authentication in tomcat.
1. if you want that each web app is not access by every user you can implement "Realm Configuration" . with this configuration , every time when user access the deployed web app in tomcat ,
it will ask user name and password.
for more details please refer below link:
https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html
Another scenario is if you want that specific ip user able to access tomcat the via Remote filter you can achieve this.
for more details Refer below link:
https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Host_Filter
As you told "The Tomcat Remote Access Filter and Remote Host Name isn't working in my case, cause i don't want to deny/allow the webapp for some IP Adresses."
In that case you can implement "Realm configuration" if you don't want to bind the web app for IPs. That's why you can try to use realm configuration with user name and password.
If you still want to use remote filter then share your procedure which you are following for understanding where you are getting failed.
I have a java app on my server and I can access it with my browser by going to server.com:8080/app.
I've been trying to get my application to access this weblet but because of XSS jQuery.post() gives me errors. Both the app and weblet are on the same server, but since I have to access the weblet through port 8080 Javascript thinks it's another server.
My question: Is there a way to avoid this XSS issue?
I don't want to use a PHP proxy or .htaccess. I also don't want to use the $.getJSON(url + '&callback?') method.
I'm looking for any other solutions.
Thanks in advance.
It' SOP(Same Origin Policy) that's stopping you here, not XSS. XSS is a security vulnerability, which breaks SOP. And yes it limits access so both pages have to run on the same protocol, port and domain.
Can you use a reverse proxy from the webserver on port 80 to 8080? If not you could take a look at easyXDM. Another alternative is to have the 8080 service return rhe access control header mentioned in one of your comments, but this is not supported in older browsers.
We have a voting mechanism that we want to restrict to only allow one vote by user.
We've tried to validate by IP address, but the problem is that when we get the user's IP address in the applicational server it shows always the apache IP address (we have two applicational servers with apache in front of them).
We are using ColdFusion variable CGI.REMOTE_ADDR to get the user IP.
Anyone knows how to fix this?
We would like to avoid the use of sessions or cookies.
Thanks in advance.
You probably want to use the X-Forward-For header header
instead of the source ip, assuming your apache instances are putting it into the request.
Is there simple and reliable way to detect your website visitor IP address using Java. I am trying to make use of Akismet to detect spam on my blog post/comment. The API require me to specify the IP address of the commenter.
Thanks =)
A call to ServletRequest.getRemoteAddr() should do it.
ServletRequest.getRemoteAddr() does this in the simplest scenarios. If you're behind a load balancer, you may instead want to look at the X-Forwarded-For header, as getRemoteAddr() will be the address of your load balancer. It's a comma-separated list of IP numbers, where the last one is the address that connected to your load balancer. The last address is the only one you can really trust (as it will be added by the load balancer), the others may be spoofed.
If you are using JSP on the server-side, then you can look at this link:
http://www.rgagnon.com/javadetails/java-0363.html
If you are using a servlet then you can use HttpServletRequest.getRemoteAddr()
Problem traffic is about 80% folks who will work to be sure they do not do work - every site that I have seen that stays up uses some sort of human-has-to-think authentication, IPV4 is a constant source of spoofing, intrusions, and news reports ( which you want to stay out of ) IPv6 approaches the matter with engineering-grade work.
At that point, I think they will move over to using human shields or something.