tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Context Path for a subdirectory
Date Sat, 01 Dec 2012 03:13:05 GMT
Hash: SHA1


On 11/30/12 5:52 PM, Leo Donahue - RDSA IT wrote:
> Ok, so before I upgraded to Tomcat 7.0.33 to use the container 
> supplied remote address filter, what were my options to restrict 
> access to just a subdirectory of a web app in Tomcat 6.0.35?

<security-constraint> on a <web-resource-collection> with whatever
<url-pattern> you want. In web.xml. As Chuck says, restricting by IP
address requires that you step outside of the spec-compliant stuff and
either write your own Valve (counterproductive IMO), use url-rewrite
(our favorite 3rd-party tool), or write your own filter.

Please remember that you aren't protecting a directory. Ever. You are
protecting a url-pattern and nothing more. While Apache httpd allows
you to protect directories such that multiple URLs mapping to that
directory are always protected, there is no such analog in the Tomcat
world: you will always have to protect based upon URL patterns.

> I'll admit, contexts are confusing to me.

A context is a thing which has been deployed as a web application.
It's got its own web.xml (even if it doesn't actually have one: it
will get a default one), ClassLoader, etc.

> You can create contexts in conf\Catalina\localhost that map to
> places that are not even in the webapps folder, but expose
> themselves as a URL to the end user.

They don't even have to be backed by the filesystem, really. If Tomcat
allowed you to deploy WARs from a database, there really is no
filesystem at all.

A file in conf/Catalina/localhost can define a context. By default,
any .war file or directory in Tomcat's webapps/ directory will be
auto-deployed as a context as well. If you want to, you can even put a
directory in webapps/ and also create an alias to it using a file in
conf/Catalina/localhost, but it's generally not recommended because a)
that's not usually what you want to do and b) it's confusing as hell.

> My thought was if I could create a context that mapped to a 
> subdirectory, I could create a valve that restricted access to
> that URL.

There is no reason for the second context: if you have the Valve, you
can restrict it by url-pattern in the one-and-only webapp and not have
to artificially create another webapp just for that purpose.

> What is the right way to do this in Tomcat 6.0.35?

If you need IP-based authorization in Tomcat 6.0.35, I'd go for
url-rewrite. Just map /path/to/protect/* to url-rewrite and set up a
rule that says "ip != your.special.ip" -> 403.html (or whatever).

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with undefined -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message