tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Denying IPs using the Valve command in context.xml
Date Wed, 05 Oct 2011 22:06:41 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 10/5/2011 10:28 AM, Mark H. Wood wrote:
> Having said that, I think that an anchored partial match 
> (lookingAt()) really is the least-bad fit to the address problem, 
> since we're usually more concerned about the first, second, and 
> perhaps third quads of an IP address and the trailing part is 
> considered insignificant.

Again, I'm guessing that this just isn't going to change, no matter how
good the arguments are, unless there is some new syntax that
differentiates the old behavior from the new (such as adding prefix and
postfix / like /\.0\./ if you want to match anything that has a 0 as
either of the middle two octets of an IPv4 address).

> As I posted previously, though, it's still pretty bad: how would
> you match a /27?

This valve can't do that, anyway. If you want /27, you have to list them
all out. Note that there is a patch currently under development to
handle CIDR masks such as this one:
https://issues.apache.org/bugzilla/show_bug.cgi?id=51953

> Domain matches, OTOH, might take matches() as least-bad of the
> regex types, since the prefix tends to be the don't-care part.

I see these as mirror-images of one-another: the implementation fails in
both cases by requiring you to add .* to either the beginning or the end
of your regular expression.

No matter what else happens, it's worth pointing-out in the
documentation what's really going on, here.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6M1PEACgkQ9CaO5/Lv0PB0HQCfYpd59y18bJilfBPasp2MRyDl
Np0An1NWgVCHEfOWnhz4+PLMiBtTkhne
=adNX
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message