tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gwin <>
Subject Re: limiting access by IP address
Date Wed, 08 Jan 2003 18:34:48 GMT
An IP address cannot be changed mid-stream and cannot be easily faked 
(without the cooperation of the intervening network systems). The Apache 
distribution has long included mod_access for this purpose, and it is 
widely used. With Apache, you can either specify to deny or grant access 
to an IP address using regular expression syntax. See the Apache 
documentation for more information.

Using IP addresses for access control is very useful within company 
intranets (e.g. the engineering department has access but the marketing 
department does not). It can also provide pseudo-firewall capabilities 
to deny Internet access to bad guys, or only grant access to users from 
a specific company. When accompanied with user authentication, it 
provides an extra measure of security (known as two-factor 
authentication). Generally, authentication (or identification more 
specifically) is a function of:

    Something you know (a username and password)
    Something you have (a smartcard or IP address)
    Something you are (biometrics)


Joel Rees wrote:

>>You can do the
>>same things with Valves and Filters for free.
>Stupid question, but what exactly is the point of limiting access by IP
>address? (IP addresses being spoofable, and all, ...)


Gary Gwin

*                                                               *
*   The Cafesoft Access Management System, Cams, is security    *
*   software that provides single sign-on authentication and    *
*   centralized access control for Apache, Tomcat, and custom   *
*   resources.                                                  *
*                                                               *

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message