tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Casper Wandahl Schmidt <kalle.pri...@gmail.com>
Subject Re: Filter by HTTP_REFERER
Date Wed, 02 Nov 2011 09:34:10 GMT


Den 02-11-2011 10:17, André Warnier skrev:
> Pid * wrote:
>> On 31 Oct 2011, at 18:25, Christopher Schultz
>> <chris@christopherschultz.net> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Richardo,
>>>
>>> On 10/31/2011 12:33 PM, Ricardo Bayley wrote:
>>>> You are right. What I intend to do is prevent hot linking.
>>> We get what you are trying to do: you'll just have to write your own
>>> code to do it. Tomcat ships with a Filter called RequestFilter that
>>> you can subclass if you need that kind of flexibility. If you don't
>>> need such flexibility, just write it yourself: it's pretty much a
>>> one-liner.
>>
>> It'll still be fragile and open to exploitation. An AJAX call can set
>> any request headers it likes. You be better off using authentication
>> if you want anything more than a casual defence.
>>
>>
>> p
>>
>>
>>>> My webapp, is working as a REST webservice.
>>>>
>>>> So I would like to have tomcat reply only when requests come from
>>>> specific sites.
>>> You mean when the requests are referred from specific sites, right?
>>>
>>> - -chris
>
> I think that a bit of clarification is in order now.
>
> 1) When receiving a request, Tomcat "knows" from which client IP this 
> request is coming.
> This is because there is a TCP connection nbetween the client and 
> Tomcat, and the TCP/IP stack on the Tomcat machine "knows" the IP 
> address and TCP port from which the remote client is making this 
> connection.
>
> Tomcat can allow/block requests originating from specific IP 
> addresses, using the RemoteAddress filter (See 
> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter) 
> or the Remote IP Valve (also mentioned there).
> This is fairly efficient, because Tomcat already has the information 
> needed to make the decision.
>
> 2) Because Tomcat has the client's remote IP address, it can also make 
> a "reverse DNS lookup", to find out which domain name corresponds to 
> this IP address, and then allow/deny the request based on the remote 
> host's domain name.  This is done via the RemoteHost filter 
> (http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Host_Filter).
> It is less efficient than option (1), because a DNS lookup has to take 
> place.
> Furthermore, this DNS lookup is not guaranteed to succeed, because not 
> all IP addresses are mapped in reverse to a hostname.
> I also wonder what happens exactly when the remote host's IP address 
> corresponds to multiple DNS names, as can happen.
>
> 3) the HTTP "Referer" header in a HTTP request is a different animal.
>
> First, as pointed out by Pid, it can be easily faked by a client.
> (So anything based on this should certainly /not/ be considered as any 
> kind of security-enhancing feature).
>
> Second, it works as follows :
>
> Imagine a browser B, some website W, and the Tomcat web server T.
> The browser B gets a web page from site W. This is now the browser's 
> "current page", and its origin is (to the browser) something like : 
> "http://website-W/some-document.html".
>
> In that page, there is a URL link to the Tomcat website on T, for 
> example something like :
> <a href="http://website-T/some-REST-url">click here</a>.
> When the user clicks on that link, the browser will send a HTTP 
> request to Tomcat on server T.  And the browser, in this request, will 
> add a "Referer:" header containing "http://website-W/some-document.html".
> That is because the request originates from the current page, which 
> had been obtained from "http://website-W/some-document.html".  That is 
> what "referrer" means.
>
> As you can see, this is different from cases (1) and (2), because (1) 
> and (2) refer to the client's own IP address or name, while (3) refers 
> to another server altogether.
>
> Now the point is to know exactly what Ricardo wants, as per this phrase :
> >>> So I would like to have tomcat reply only when requests come from
> >>> specific sites.
>
> Does that mean :
> - Tomcat should reject requests coming from workstations that are not 
> themselves within a particular range of IP addresses ? (for example, 
> only from some customer LANs L1, L2, L3,..) of which the IP addresses 
> are known in advance ?
> OR
> - Tomcat should reject requests coming from clients whose own IP 
> addresses cannot be resolved to hostnames that are members of some DNS 
> domain (like "*.customer1.com" or "*.customer2.org") ?
> OR
> - Tomcat should reject requests (from any client), unless these 
> requests come from a link which itself appears only on some websites ?
> (and the possibility of a malicious client "faking" such a "Referer" 
> can be ignored).
According to OP he want's to avoid hot-linking which would be this last 
case or have I misunderstood something?
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message