tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zak Mc Kracken <>
Subject Re: RemoteAddrValve and RemoteHostValve
Date Sat, 28 Feb 2009 18:14:10 GMT
Thank you all for replies and detailed explanation. Now I understand 
what's happening. My specific problem is restrict a single web 
application to clients coming from localhost only. This was not working 
(everything blocked):

   <Valve className="org.apache.catalina.valves.RemoteHostValve"
   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
          allow="127\.0\.0\.1" deny="" />

I am using a Mac and, after your replies, I tried to see what 
request.getRemoteAddr() and request.getRemoteHost(). Well, it turns out 
that they both return "0:0:0:0:0:0:0:1%0", so now everything works with:

   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
          allow="127\.0\.0\.1,0:0:0:0:0:0:0:1\%0" deny="" />

Moreover, André's reply is pretty convincing, although it seems to imply 
that RemoteHostValve should be avoided (isn't DNS reverse lookup 
cached?) and cannot be chained with RemoteAddrValve. Of course one can 
do what you suggests, although this is a bit impractical in large 
networks where one wouldn't like to care about IP changes of symbolic 
names. Worse, I don't see what I could do to grant access to single PCs 
in those LANs where users have fixed host names for their PCs, but 
DHCP-assigned IPs (OK, maybe it's a theoretical case, I would probably 
switch to user/password).



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message