tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pier P. Fumagalli" <>
Subject Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors
Date Mon, 05 Mar 2001 02:31:13 GMT
Craig R. McClanahan <> wrote:
>> Tomcat 4.0 will use port 8005 as its shutdown port, will this only accept
>> connections from localhost?
> Yes, in effect.  The connection is accepted no matter where it comes from, but
> attempts to shut down Tomcat are refused unless they are from localhost.
> AFAIK, there is no way through standard Java I/O to restrict where the
> connection comes from at the socket accept level.

BARF, Craig :) :) :) Bind your serversocket to the address only,
and the trick is done... (if it doesn't work, it's a JVM/OS problem)

>>  Is this configurable?
> Not currently, although this would be relatively easily to add.

I wouldn't bother, but rather wait for the outcomes of JSR-096 (Java
Daemons)... Even if maybe it will not make it for our final release, we can
always incorporate their code (should come out with a BSD license), change
the packages from javax.daemon to org.apache and keep the two in sync. When
it finally comes out, we can simply incorporate it and change back to

>> Tomcat 4.0 will use port 8008 for its Warp Connector.  Can this be filtered
>> using the Request Filter Valve?  The docs for the Request Filter refer to
>> denying HTTP requests.
> As long as the Warp connector properly identifies where the request originated
> (which I am pretty sure it does), you can indeed use request filters to accept
> only requests from matching clients.  However, this cannot be used to control
> where the connection from Apache comes from -- that would require code in the
> connector itself.

Actually, that's all the way around... GetRemoteHost() and addr() return the
Apache client, not the WARP client... Filtering at WARP level is a feature
that can be integrated in the connector...


Pier Fumagalli  <>  <>

View raw message