tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Buglass <adam.bugl...@ncl.ac.uk>
Subject Re: Filter on url example - Filter out hack attempts
Date Tue, 11 May 2004 14:30:14 GMT
Hi Larry, as someone who has only been using tomcat (apart from the
deploy tool) since August and who has had to greatly improve my Java
skills since the same time...

I suggest the best way to learn is to get your hands dirty, so to speak.
Thoroughly read the provided Tomcat docs including any ReadMe files you
can get your hands on. Get you hands on any example server.xml files
that you can (there'll probably be some in your books and on the web).
As for Java, find some good books to teach you Java and JSPs. I found
Java a very steep learning curve at first. I have also found the
following Java site very useful (and the book that goes with it):
http://javagently.cs.up.ac.za/  and these pages:
http://java.sun.com/j2se/1.3/docs/api/
I expect you'll find all the pages quoted by Nathan as being useful
also.

I've found the best way is to dive in and use them, preferably install
Suns Java compiler and Tomcat onto a system somewhere where they can't
do major harm if they go wrong (ie. not a server that's already in use!)
and just have a go.
I've had to do a lot of it on an up and running server but I don't
advise this!!

Anyway those are just some thoughts and suggestions that may or may not
work for you.

Hope it helps.
Adam.



On Tue, 2004-05-11 at 15:16, lrnobs wrote:
> Nathan,
> 
> I am a newbie to Java and Tomcat, and I did spend two days with two Tomcat
> books I bought and Google trying to find some instructions I could
> understand before posting a question to this list.  Please let me know if
> there is a list more appropriate for new users.
> 
> Thanks,
> 
> Larry Nobs
> 
> 
> ----- Original Message ----- 
> From: "Nathan Maves" <Nathan.Maves@Sun.COM>
> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> Sent: Tuesday, May 11, 2004 8:56 AM
> Subject: Re: Filter on url example - Filter out hack attempts
> 
> 
> > First of this is not a Tomcat question.  This type of information is
> > always available at http://java.sun.com or http://forum.java.sun.com/
> >
> > To answer your question....Yes.  in-fact you can place the class where
> > ever you want as long as it is in your classpath.  Of course you will
> > also have to change the <filter-class> attribute accordingly.
> >
> > Nathan
> > On May 11, 2004, at 7:42 AM, lrnobs wrote:
> >
> > > Yoav,
> > >
> > > So from what I know so far my
> > > /usr/local/tomcat/webapps/myapplication/WEB-INF/web.xml should look
> > > like the
> > > following:
> > >
> > > <web-app>
> > >   <filter>
> > >     <filter-name>UrlFilter</filter-name>
> > >     <filter-class>UrlFilter</filter-class> *Don't know how this
should
> > > layout.*
> > >   </filter>
> > >
> > >   <filter-mapping>
> > >     <filter-name>UrlFilter</filter-name>
> > >     <url-pattern>/*</url-pattern>
> > >   </filter-mapping>
> > >
> > >   <welcome-file-list>
> > >     <welcome-file>index.jsp</welcome-file>
> > >     <welcome-file>index.html</welcome-file>
> > >   </welcome-file-list>
> > > </web-app>
> > >
> > >
> > > Do I then create
> > > /usr/local/tomcat/webapps/myapplication/WEB-INF/classes/URLFilter.java?
> > >
> > >
> > >  public class UrlFilter implements Filter {
> > >    ...
> > >    public void doFilter(...) {
> > >      if(req instance of HttpServletRequest) {
> > >        HttpServletRequest hreq = (HttpServletRequest) req;
> > >        String uri = hreq.getRequestURI();
> > >        if(allow(uri)){
> > >          chain.doFilter(req, res);
> > >        } else {
> > > ...........Send to Null
> > >          // Do whatever: error page, redirect, etc.
> > >        }
> > >      } else {
> > >        // Non-HTTP requests
> > >        chain.doFilter(req, res);
> > >      }
> > >    }
> > >
> > >      private boolean allow(String uri) {
> > >      // Look up allowed urls in a DB, Collection, whatever
> > >
> > >        SubstringTest = False;
> > >     SubstringTest = string.indexOf("GET / HTTP/1.1") > 0;
> > >      if(SubstringTest = True) return True;
> > >      Do the same for the rest
> > >      //GET / HTTP/1.0     //page1.jsp     //page2.jsp     //page3.jsp
> > > //page4.jsp     //page5.jsp     //graphic1.gif     //graphic2.gif
> > >      } }
> > >
> > > Thanks,
> > >
> > > Larry Nobs
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >>
> > >> Hi,
> > >> This is a trivial filter:
> > >> public class URLFilter implements Filter {
> > >>   ...
> > >>   public void doFilter(...) {
> > >>     if(req instance of HttpServletRequest) {
> > >>       HttpServletRequest hreq = (HttpServletRequest) req;
> > >>       String uri = hreq.getRequestURI();
> > >>       if(allow(uri)){
> > >>         chain.doFilter(req, res);
> > >>       } else {
> > >>         // Do whatever: error page, redirect, etc.
> > >>       }
> > >>     } else {
> > >>       // Non-HTTP requests
> > >>       chain.doFilter(req, res);
> > >>     }
> > >>   }
> > >>
> > >>     private boolean allow(String uri) {
> > >>      // Look up allowed urls in a DB, Collection, whatever
> > >>     }
> > >> }
> > >>
> > >> I omitted full prototype declarations above due to laziness.  It's the
> > >> javax.servlet.Filter interface.
> > >>
> > >> Take a look at the balancer webapp that ships with tomcat 5.  The
> > >> URLStringMatchRule is pretty close to what you want, and can be easily
> > >> extended with a list of allow patterns and/or deny patterns.  Tomcat
> > >> has
> > >> something similar as the base Valve for the RemoteAddr/RemoteHost
> > >> valves.
> > >>
> > >> Yoav Shapira
> > >> Millennium Research Informatics
> > >>
> > >>
> > >>> -----Original Message-----
> > >>> From: lrnobs [mailto:lrnobs@firstclasssolutions.net]
> > >>> Sent: Saturday, May 08, 2004 9:11 PM
> > >>> To: Tomcat Users List
> > >>> Subject: Filter on url example - Filter out hack attempts
> > >>>
> > >>> I have had no luck Googling so far for an example on how to filter
> > >> based on
> > >>> urls.
> > >>>
> > >>> I thought I might put this in the AccessLogValve but will do whatever
> > >>> works.
> > >>>
> > >>> I have a limited number of jsp's and graphics on my site and would
> > >>> like
> > >> to
> > >>> filter out all of the hack attempts that fill up my logs.
> > >>>
> > >>> I would like to do something like this (in plain english)
> > >>>
> > >>> Accept
> > >>> GET / HTTP/1.1
> > >>> GET / HTTP/1.0
> > >>> *page1.jsp*
> > >>> *page2.jsp*
> > >>> *page3.jsp*
> > >>> *page4.jsp*
> > >>> *page5.jsp*
> > >>> *graphic1.gif*
> > >>> *graphic2.gif*
> > >>>
> > >>> Drop All Other Requests - they are just hack attempts
> > >>>
> > >>> Thanks,
> > >>>
> > >>> Larry Nobs
> > >>>
> > >>>
> > >>>
> > >>> ---------------------------------------------------------------------
> > >>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > >>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >>
> > >>
> > >>
> > >>
> > >> This e-mail, including any attachments, is a confidential business
> > > communication, and may contain information that is confidential,
> > > proprietary
> > > and/or privileged.  This e-mail is intended only for the individual(s)
> > > to
> > > whom it is addressed, and may not be saved, copied, printed, disclosed
> > > or
> > > used by anyone else.  If you are not the(an) intended recipient, please
> > > immediately delete this e-mail from your computer system and notify the
> > > sender.  Thank you.
> > >>
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > >> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message