tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: Deployment on a specific port
Date Fri, 12 Sep 2003 10:44:38 GMT
IIRC, getRemoteAddr() is as reliable as your router in prventing spoofed 
addresses.

So you should be safe if you can trust your network to say the 198.168.0.25 
is that computer and not a spoof.

-Tim

Martin Jericho wrote:
> Since it looks like there is no easy way to do it, does anyone know of a
> secure way to check the source IP address or target port of the request?  Am
> I correct in assuming that the getServerPort() and getRemoteAddr() methods
> are not reliable for security purposes?
> 
> ----- Original Message ----- 
> From: "Tim Funk" <funkman@joedog.org>
> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> Sent: Friday, September 12, 2003 11:09 AM
> Subject: Re: Deployment on a specific port
> 
> 
> 
>>Actually as to different services it could be the same webapp but tomcat
>>would treat them as two different webapps.
>>
>>At this time at night, I'm out of ideas. (Actually, brain ain't working,
> 
> must
> 
>>sleep)
>>
>>The simple kludge is to keep with the original idea and store the shared
> 
> data
> 
>>in a common classloader in some static fashion. (Emphasis ... kludge)
>>
>>-Tim
>>
>>Martin Jericho wrote:
>>
>>
>>>Thanks Tim, but I forgot to mention that both servlet have to be in the
> 
> same
> 
>>>webapp!  One is my main servlet that handles user web requests, and the
>>>other is the AxisServlet for handling a SOAP interface into the same
>>>application.  I want to stick the SOAP servlet onto a different port
> 
> which
> 
>>>can not be accessed from outside the firewall.
>>>
>>>What are the "extra tricks" you mentioned?
>>>
>>>----- Original Message ----- 
>>>From: "Tim Funk" <funkman@joedog.org>
>>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>>>Sent: Friday, September 12, 2003 10:51 AM
>>>Subject: Re: Deployment on a specific port
>>>
>>>
>>>
>>>
>>>>I think you can create 2 services and each service gets is own connector
>>>
>>>and
>>>
>>>
>>>>webapp.
>>>>
>>>>This also means that both servlets can't be in the same webapp. (Without
>>>>extra tricks)
>>>>
>>>>-Tim
>>>>
>>>>Martin Jericho wrote:
>>>>
>>>>
>>>>
>>>>>I would like to set up a single standalone instance of tomcat with
>>>
>>>connectors on two ports, and deploy one servlet to work only on one port
> 
> and
> 
>>>a different servlet to work only on the other port.  Is this possible?
>>>
>>>
>>>>>If not, the only way I can get around it that I can see is to use the
>>>
>>>ServletRequest.getServerPort() method to check which port the request
> 
> came
> 
>>>in on an reject it if it was on the wrong port.  I suspect however that
> 
> this
> 
>>>is not secure as the value returned by getServerPort() comes from the
>>>request header, which can easily be spoofed.  Will the
>>>ServletRequest.getLocalPort() method in the proposed 2.4 spec be more
>>>secure?
>>>
>>>
>>>>>How are other people doing this?
>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>>
>>>>
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 


Mime
View raw message