tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark H. Wood" <mw...@IUPUI.Edu>
Subject Re: Denying IPs using the Valve command in context.xml
Date Wed, 05 Oct 2011 14:28:17 GMT
On Tue, Oct 04, 2011 at 09:11:28PM +0200, Francis GALIEGUE wrote:
> On Tue, Oct 4, 2011 at 21:08, Christopher Schultz
> <> wrote:
> [...]
> >
> > - From the docs:
> >
> > "If this attribute [allow] is specified, the remote address MUST match
> > for this request to be accepted".
> >
> > "If this attribute [deny] is specified, the remote address MUST NOT
> > match for this request to be accepted".
> >
> > I don't think Matacher.lookingAt is appropriate for this kind of checking.
> >
> Well, it depends on the definition of "match", I guess. For me, a
> regex matches an input if it matches anywhere in the input! Which is
> pretty much the definition of regex matching, and which is why Java's
> .matches() methods are misnomers...

Hmmm, old SNOBOL coders may recall the handy concept of "anchored"
(.matches(), .lookingAt()) vs. "unanchored" (.find()) matching.  The
actual difference between matches() and lookingAt() is that of
matching the entire string vs. matching a prefix.

Having said that, I think that an anchored partial match (lookingAt())
really is the least-bad fit to the address problem, since we're
usually more concerned about the first, second, and perhaps third
quads of an IP address and the trailing part is considered
insignificant.  As I posted previously, though, it's still pretty bad:
how would you match a /27?

Domain matches, OTOH, might take matches() as least-bad of the regex
types, since the prefix tends to be the don't-care part.  Again,
though, since domain structure is significant, regex matching tends to
require a lot of complexity that could be considered boilerplate: you
almost always need to write all the fiddly escaped dots and stuff.

(If you think SNOBOL is ancient:  I'm trying to recall whether COMIT
II embodied all of these concepts. :-)

Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.

View raw message