Tomcat Valve settings

java configuration tomcat

23,841

Solution 1

It should go inside your <Context> element in server.xml:

<Context
    path="/tcadmin"
    docBase="${catalina.home}/server/webapps/admin"
    privileged="true"
>
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
        allow="127\.0\.0\.1"
    />
</Context>

Just remember, that the string values are regex patterns, so special regex characters ( e.g. dot(.) ) has to be escaped with backslashes.

EDIT: in reply to OP's comment. I think you need to implement a FILTER in your web app and configure it to accept or reject requests based on their remote address IP. Remote address can be retrieved from ServletRequest object passed into doFilter method.

You declare a filter in your web.xml file:

<filter>
  <filter-name>GatekeeperFilter</filter-name>
  <filter-class>your.package.GatekeeperFilter</filter-class>
  <init-param>
    <param-name>allowedNetwork</param-name>
    <param-value>192\.168\.2\.*</param-value>
  </init-param>
</filter>

<filter-mapping>
  <filter-name>GatekeeperFilter</filter-name>
  <url-pattern>/path/to/protected/folder</url-pattern>
</filter-mapping>

Read the linked article about what need to be done to accept init parameters. I think for your decision making you can shamelessly copy the code from the RequestDumperValve.

Solution 2

You need to put it in the <Context> element which definies the webapplication in question.

For Tomcat it can be several places, under each the webapp-specific (and webapp-controlled) /META-INF/context.xml or the server-specific (and server-controlled) /conf/[enginename]/[hostname]/context.xml or the server-specific global /conf/context.xml or the host-specific /conf/server.xml. Also see the Tomcat Context documentation.

Solution 3

The Tomcat Valve can be applied to the whole Engine, the Host or a specific Context (webapp). You have to use it for you whole app, not specific path or directories.

You should set it in your META-INF/context.xml or your context fragment in conf/Catalina/[host] directory. For example,

<Context path="/myapp" ...>
  ...
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="10.1.2.*"/>
</Context>

Solution 4

Had the same need as you (but for other reasons) last week and created a valve to block requests by path. It's based off of org.apache.catalina.valves.RequestFilterValve.

Usage:

<Valve className="se.qbranch.tomcat.valve.BlockAccessByPathValve" path="/manager/.*" allow="127\.0\.0\.1"/>

The valve can be used in Engine, Host or Context just as any valve and is available on GitHub. http://github.com/xlson/tomcat-valves

I would suggest using the default tomcat valves or servlet filters in your application if that solves your problem. The reason we needed a custom valve was that some parts of the tomcat management application Psi-Probe would "leak out" even though we used the RemoteAddrValve in the <Context> element of the application.

View more solutions

23,841

Author by

KB22

Plumbering systems from Axapta to Zend...

Updated on May 03, 2020

Comments

KB22 about 4 years
I'm stuck with sort of a configuration issue I think. I need to protect a folder which is within my actual tomcat application from access from a certain IP range.

I thought this was serverfault, so I posted the question there. Right now I'm not sure whether this is SO or SF anyways...

Nevertheless I kept on trying geting it going by myself and figured that I need to set the
```
org.apache.catalina.valves.RemoteAddrValve
```
for that folder of mine. Sadly I just can't get where I need to make that setting. web.xml, server.xml ? Tried both, null success. Could anyone pls help me out on this.

tia

K
KB22 over 14 years

first thx for the quick answer, (+1). sadly this seems not to work yet. so far there's been no context section within my server.xml. Actually the application itself should be world accessible. only one folder in there, basically a folder containing some pdf's should only be accessible by certain IPs. within the app there's a simple a href link to that folder. if the client is from my internal net everything is ok. if the client is external the folder should not be openend for him. is my approach still right?
user1568901 about 14 years

Helpful. I'm able to restrict my site to the proper IPv4 block by doing that. However, it doesn't seem to work for IPv6. Is there a different way to do that, or does Tomcat still not have full IPv6 support?
Johan Sjöberg about 12 years

@BrianKnoblauch, tomcat does support IPv6, see prevent-access-to-certain-webapps-in-tomcat6
user1568901 about 12 years

Looks like it needs a custom build of Tomcat to support IPv6 (pre-built binaries don't seem to support it). So far unable to find the right combination of dependencies/options to do a full build of Tomcat with working IPv6. So, yes it supports it, but good luck actually getting it going. ;-)