Tomcat: Source IP filtering on some URLs before Container-managed authentication

205 views

My webapp have a set of resources, let's call that set R. Some of those resources need to be accessed only from certain source IP addresses, let's call that subset R'. And some subset of R' (let's call it R'') needs authentication.

I have a requirement to check source IP address before authentication.

Right now, R' is specified in web.xml RemoteAddrFilter s, and R'' is specified in web.xml s.

The problem is, filters are executed after container-managed authentication, so login form is presented to the user before RemoteAddrFilter kicks in, and check source IP address. That is not what I need. Users outside trusted IP ranges should not be able to even know about the protected resources, let alone to guess passwords.

RemoteAddrValve, on the other hand, is called before container-managed authentication, but it does not allow specifying s.

What would be a good solution for the above requirement? Extend RemoteAddrValve with the ability to specify s?

posted Nov 19, 2015 by anonymous

Looking for an answer? Promote on:

Facebook Share Button

Twitter Share Button

LinkedIn Share Button

Similar Questions

+3 votes

Tomcat: Getting 404 before the container starts all servlets

After upgrading Tomcat from 6.X to 7.X, our AJAX client receives 404 for 10-15 seconds right after startup. I presume the request is accepted and processed before all servlet are initialized, which is not what you
would expect.

Is this behavior normal for 7.X? Is there a way to configure 7.x to behave like 6.x?

0 votes

Tomcat 7.0.4 - Ignoring certain URLs from session timeout

I am running Apache Tomcat 7.0.4 on Linux and the session-timeout is configured to 30 minutes. All requests from my client pass in the session cookie. However, I do not want the session timeout counter to get reset for certain URLs.

Is there a way to configure Tomcat to ignore certain URLs when resetting its timeout counter for a particular session?

0 votes

Mutual certificate authentication between Tomcat and MS IIS

Has somebody of you ever tried to configure certificate mutual authentication between a MS IIS webserver and a Tomcat instance Does somebody know if this is even possible in IIS ?

I usually do it very well with Apache but this time I'm requested to put in front of Tomcat an IIS webserver.
Thanks in advance.

+2 votes

Tomcat: Web filter to forward some requests to another remote webserver

I would like to create a web filter to forward some requests to another webserver,

The filter receives an "application/x-www-form-urlencoded" request , inspects the value of a parameter and chooses to forward to another remote webserver ( as a proxy )

I've seen some posts where they open a HttpURLConnection to remote server and send the request. This is right for me, but I'd would like if there is another way ( easier ) to implement it.

0 votes

Tomcat 7 installation on Sun Solaris 10

We need to install tomcat 7.0.68 or higher version on Sun Solaris 10. Can you let me know if there is any version compatibility matrix for Tomcat 7?

...