Return-Path: 
 <users-return-229088-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 132A0952F
	for <apmail-tomcat-users-archive@www.apache.org>;
 Wed,  2 Nov 2011 09:43:17 +0000 (UTC)
Received: (qmail 45672 invoked by uid 500); 2 Nov 2011 09:43:13 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 45472 invoked by uid 500); 2 Nov 2011 09:43:13 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 45463 invoked by uid 99); 2 Nov 2011 09:43:13 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Nov 2011 09:43:13 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of aw@ice-sa.com designates
 212.85.38.228 as permitted sender)
Received: from [212.85.38.228] (HELO tor.combios.es) (212.85.38.228)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Nov 2011 09:43:08 +0000
Received: from [192.168.245.129] (p549E9533.dip0.t-ipconnect.de
 [84.158.149.51])
	by tor.combios.es (Postfix) with ESMTPA id C91DDDA02C9
	for <users@tomcat.apache.org>; Wed,  2 Nov 2011 10:42:45 +0100 (CET)
Message-ID: <4EB11092.2050804@ice-sa.com>
Date: Wed, 02 Nov 2011 10:42:42 +0100
From: =?UTF-8?B?QW5kcsOpIFdhcm5pZXI=?= <aw@ice-sa.com>
Reply-To: Tomcat Users List <users@tomcat.apache.org>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Filter by HTTP_REFERER
References: 
 <CAMTORqe6K1+7Eot4+PcjE3Pe+Yz+Bo-Eq-GdaB7iWnAszHOTaw@mail.gmail.com>
 <4EAECB8B.7000609@ice-sa.com>
 <CAMTORqfJyiemg37BK-jSwGLJgTSUCoVF9LWbQGJoxg4RWgk75w@mail.gmail.com>
 <4EAEE7E1.3030600@christopherschultz.net> <3546031746380909772@unknownmsgid>
 <4EB10AB1.8050300@ice-sa.com> <4EB10E92.7090000@gmail.com>
In-Reply-To: <4EB10E92.7090000@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Casper Wandahl Schmidt wrote:
> 
> 
> Den 02-11-2011 10:17, André Warnier skrev:
>> Pid * wrote:
>>> On 31 Oct 2011, at 18:25, Christopher Schultz
>>> <chris@christopherschultz.net> wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Richardo,
>>>>
>>>> On 10/31/2011 12:33 PM, Ricardo Bayley wrote:
>>>>> You are right. What I intend to do is prevent hot linking.
>>>> We get what you are trying to do: you'll just have to write your own
>>>> code to do it. Tomcat ships with a Filter called RequestFilter that
>>>> you can subclass if you need that kind of flexibility. If you don't
>>>> need such flexibility, just write it yourself: it's pretty much a
>>>> one-liner.
>>>
>>> It'll still be fragile and open to exploitation. An AJAX call can set
>>> any request headers it likes. You be better off using authentication
>>> if you want anything more than a casual defence.
>>>
>>>
>>> p
>>>
>>>
>>>>> My webapp, is working as a REST webservice.
>>>>>
>>>>> So I would like to have tomcat reply only when requests come from
>>>>> specific sites.
>>>> You mean when the requests are referred from specific sites, right?
>>>>
>>>> - -chris
>>
>> I think that a bit of clarification is in order now.
>>
>> 1) When receiving a request, Tomcat "knows" from which client IP this 
>> request is coming.
>> This is because there is a TCP connection nbetween the client and 
>> Tomcat, and the TCP/IP stack on the Tomcat machine "knows" the IP 
>> address and TCP port from which the remote client is making this 
>> connection.
>>
>> Tomcat can allow/block requests originating from specific IP 
>> addresses, using the RemoteAddress filter (See 
>> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter) 
>> or the Remote IP Valve (also mentioned there).
>> This is fairly efficient, because Tomcat already has the information 
>> needed to make the decision.
>>
>> 2) Because Tomcat has the client's remote IP address, it can also make 
>> a "reverse DNS lookup", to find out which domain name corresponds to 
>> this IP address, and then allow/deny the request based on the remote 
>> host's domain name.  This is done via the RemoteHost filter 
>> (http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Host_Filter). 
>>
>> It is less efficient than option (1), because a DNS lookup has to take 
>> place.
>> Furthermore, this DNS lookup is not guaranteed to succeed, because not 
>> all IP addresses are mapped in reverse to a hostname.
>> I also wonder what happens exactly when the remote host's IP address 
>> corresponds to multiple DNS names, as can happen.
>>
>> 3) the HTTP "Referer" header in a HTTP request is a different animal.
>>
>> First, as pointed out by Pid, it can be easily faked by a client.
>> (So anything based on this should certainly /not/ be considered as any 
>> kind of security-enhancing feature).
>>
>> Second, it works as follows :
>>
>> Imagine a browser B, some website W, and the Tomcat web server T.
>> The browser B gets a web page from site W. This is now the browser's 
>> "current page", and its origin is (to the browser) something like : 
>> "http://website-W/some-document.html".
>>
>> In that page, there is a URL link to the Tomcat website on T, for 
>> example something like :
>> <a href="http://website-T/some-REST-url">click here</a>.
>> When the user clicks on that link, the browser will send a HTTP 
>> request to Tomcat on server T.  And the browser, in this request, will 
>> add a "Referer:" header containing "http://website-W/some-document.html".
>> That is because the request originates from the current page, which 
>> had been obtained from "http://website-W/some-document.html".  That is 
>> what "referrer" means.
>>
>> As you can see, this is different from cases (1) and (2), because (1) 
>> and (2) refer to the client's own IP address or name, while (3) refers 
>> to another server altogether.
>>
>> Now the point is to know exactly what Ricardo wants, as per this phrase :
>> >>> So I would like to have tomcat reply only when requests come from
>> >>> specific sites.
>>
>> Does that mean :
>> - Tomcat should reject requests coming from workstations that are not 
>> themselves within a particular range of IP addresses ? (for example, 
>> only from some customer LANs L1, L2, L3,..) of which the IP addresses 
>> are known in advance ?
>> OR
>> - Tomcat should reject requests coming from clients whose own IP 
>> addresses cannot be resolved to hostnames that are members of some DNS 
>> domain (like "*.customer1.com" or "*.customer2.org") ?
>> OR
>> - Tomcat should reject requests (from any client), unless these 
>> requests come from a link which itself appears only on some websites ?
>> (and the possibility of a malicious client "faking" such a "Referer" 
>> can be ignored).
> According to OP he want's to avoid hot-linking which would be this last 
> case or have I misunderstood something?

Well, "hot-linking" is not a term he himself mentioned, it is a term someone else 
mentioned, after interpreting the above phrase that he wrote.  It is not so clear to me 
what he really wants.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org