tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: org.apache.catalina.valves.RemoteHostValve does this work ???
Date Wed, 30 May 2012 21:11:33 GMT
Leo Donahue - PLANDEVX wrote:
>> -----Original Message-----
>> From: N.s.Karthik [mailto:nskarthik.k@gmail.com]
>> Subject: org.apache.catalina.valves.RemoteHostValve does this work ???
>>
>> Hi
>>
>> Spec
>> JDK1.6
>> TC : tomcat 6.26
>> O/s win 7 /Linux (redhat)
>>
>> I have configured the valve as follows  in  TC /conf/Context.xml
>>
>> *<Valve className="org.apache.catalina.valves.RemoteHostValve"
>>              allow="ai-itl-107"
>>               deny="192.168.8.210" />*
>>
>> On restart of the TC ... I am denied access at URL
>>
>> *http://ai-itl-107:8080/*
>>
>> as   HTTP 403 Error ???
>>
>> Disabling this valve  the URL works and application is available
>> normally.
>>
>> I am confused
>>
>>
>> with regards
>> karthik
> 
> The docs indicate that you need to use a regular expression pattern for the allow and
deny attributes.
> 
> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Host_Filter
> 
> allow="ai\-itl\-107"
> deny="192\.168\.8\.210"
> 
> Does that work?
> 
> Leo
> 

In addition, either I am missing something, or there are a couple of strange things in the

original post.

The allow/deny of the RemoteHostValve are supposed to mean /from which client/ one can or

cannot access this Tomcat Host, on the base of the client's *hostname*.
(read http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Host_Filter, as 
compared to http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Address_Filter)

So
1) what does this *request* URL "http://ai-itl-107:8080" have to do with it all ? is 
"ai-itl-107" the hostname of the client, or of the server ?
2) what about the IP address in the "deny" part ? should one not be using a hostname here

  (or use a Remote Address Filter instead) ?


In addition, if one really wants to use the *hostname* of the client to allow or deny 
access, then one should also make sure that the server, when it resolves the client's IP 
address to a name, is really getting what is shown up there.
Otherwise it will not allow it, which seems to be happening here (but again, maybe I'm 
confused).


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message