Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 33336 invoked from network); 5 Mar 2001 02:30:56 -0000 Received: from dnai-216-15-97-206.cust.dnai.com (HELO betaversion.org) (216.15.97.206) by h31.sny.collab.net with SMTP; 5 Mar 2001 02:30:56 -0000 Received: from [192.168.1.100] ([192.168.1.100]) by betaversion.org (8.9.3+Sun/8.9.3) with ESMTP id SAA16751 for ; Sun, 4 Mar 2001 18:35:10 -0800 (PST) User-Agent: Microsoft-Entourage/9.0.2509 Date: Sun, 04 Mar 2001 18:31:13 -0800 Subject: Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors From: "Pier P. Fumagalli" To: Message-ID: In-Reply-To: <3AA2F2F2.AB0F9D@eng.sun.com> Mime-version: 1.0 Organization: Apache Software Foundation Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N Craig R. McClanahan wrote: >> >> Tomcat 4.0 will use port 8005 as its shutdown port, will this only accept >> connections from localhost? > > Yes, in effect. The connection is accepted no matter where it comes from, but > attempts to shut down Tomcat are refused unless they are from localhost. > > AFAIK, there is no way through standard Java I/O to restrict where the > connection comes from at the socket accept level. BARF, Craig :) :) :) Bind your serversocket to the 127.0.0.1 address only, and the trick is done... (if it doesn't work, it's a JVM/OS problem) >> Is this configurable? > > Not currently, although this would be relatively easily to add. I wouldn't bother, but rather wait for the outcomes of JSR-096 (Java Daemons)... Even if maybe it will not make it for our final release, we can always incorporate their code (should come out with a BSD license), change the packages from javax.daemon to org.apache and keep the two in sync. When it finally comes out, we can simply incorporate it and change back to javax.daemon. >> Tomcat 4.0 will use port 8008 for its Warp Connector. Can this be filtered >> using the Request Filter Valve? The docs for the Request Filter refer to >> denying HTTP requests. > > As long as the Warp connector properly identifies where the request originated > (which I am pretty sure it does), you can indeed use request filters to accept > only requests from matching clients. However, this cannot be used to control > where the connection from Apache comes from -- that would require code in the > connector itself. Actually, that's all the way around... GetRemoteHost() and addr() return the Apache client, not the WARP client... Filtering at WARP level is a feature that can be integrated in the connector... Pier -- ---------------------------------------------------------------------------- Pier Fumagalli