tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors
Date Mon, 05 Mar 2001 05:48:04 GMT
"Pier P. Fumagalli" wrote:

> Craig R. McClanahan <> wrote:
> >>
> >> Tomcat 4.0 will use port 8005 as its shutdown port, will this only accept
> >> connections from localhost?
> >
> > Yes, in effect.  The connection is accepted no matter where it comes from, but
> > attempts to shut down Tomcat are refused unless they are from localhost.
> >
> > AFAIK, there is no way through standard Java I/O to restrict where the
> > connection comes from at the socket accept level.
> BARF, Craig :) :) :) Bind your serversocket to the address only,
> and the trick is done... (if it doesn't work, it's a JVM/OS problem)

That controls where the *destination* of the client connection can go,
but not the *origin*.  Look again and find me the appropriate JDK
methods to call to say "only accept connections from IP address
a.b.c.d", which was the original question.

> >>  Is this configurable?
> >
> > Not currently, although this would be relatively easily to add.
> I wouldn't bother, but rather wait for the outcomes of JSR-096 (Java
> Daemons)... Even if maybe it will not make it for our final release, we can
> always incorporate their code (should come out with a BSD license), change
> the packages from javax.daemon to org.apache and keep the two in sync. When
> it finally comes out, we can simply incorporate it and change back to
> javax.daemon.
> >> Tomcat 4.0 will use port 8008 for its Warp Connector.  Can this be filtered
> >> using the Request Filter Valve?  The docs for the Request Filter refer to
> >> denying HTTP requests.
> >
> > As long as the Warp connector properly identifies where the request originated
> > (which I am pretty sure it does), you can indeed use request filters to accept
> > only requests from matching clients.  However, this cannot be used to control
> > where the connection from Apache comes from -- that would require code in the
> > connector itself.
> Actually, that's all the way around... GetRemoteHost() and addr() return the
> Apache client, not the WARP client... Filtering at WARP level is a feature
> that can be integrated in the connector...
>     Pier


View raw message