tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@voyager.apg.more.net>
Subject Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors
Date Mon, 05 Mar 2001 03:13:54 GMT
Ok, so if you want to restrict network access from remote Apache servers
using the mod_jserv, mod_jk, or mod_webapp connectors to Tomcat; you can't 
do it with either Tomcat 3.2 or Tomcat 4.0, correct? 

Sure would be nice if network access allow/deny for Connectors could be
configured for those who don't put Tomcat behind a firewall.

Regards,

Glenn

"Pier P. Fumagalli" wrote:
> 
> Craig R. McClanahan <Craig.McClanahan@eng.sun.com> wrote:
> >>
> >> Tomcat 4.0 will use port 8005 as its shutdown port, will this only accept
> >> connections from localhost?
> >
> > Yes, in effect.  The connection is accepted no matter where it comes from, but
> > attempts to shut down Tomcat are refused unless they are from localhost.
> >
> > AFAIK, there is no way through standard Java I/O to restrict where the
> > connection comes from at the socket accept level.
> 
> BARF, Craig :) :) :) Bind your serversocket to the 127.0.0.1 address only,
> and the trick is done... (if it doesn't work, it's a JVM/OS problem)
> 
> >>  Is this configurable?
> >
> > Not currently, although this would be relatively easily to add.
> 
> I wouldn't bother, but rather wait for the outcomes of JSR-096 (Java
> Daemons)... Even if maybe it will not make it for our final release, we can
> always incorporate their code (should come out with a BSD license), change
> the packages from javax.daemon to org.apache and keep the two in sync. When
> it finally comes out, we can simply incorporate it and change back to
> javax.daemon.
> 
> >> Tomcat 4.0 will use port 8008 for its Warp Connector.  Can this be filtered
> >> using the Request Filter Valve?  The docs for the Request Filter refer to
> >> denying HTTP requests.
> >
> > As long as the Warp connector properly identifies where the request originated
> > (which I am pretty sure it does), you can indeed use request filters to accept
> > only requests from matching clients.  However, this cannot be used to control
> > where the connection from Apache comes from -- that would require code in the
> > connector itself.
> 
> Actually, that's all the way around... GetRemoteHost() and addr() return the
> Apache client, not the WARP client... Filtering at WARP level is a feature
> that can be integrated in the connector...
> 
>     Pier
> 
> --
> ----------------------------------------------------------------------------
> Pier Fumagalli  <http://www.betaversion.org/>  <mailto:pier@betaversion.org>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

Mime
View raw message