tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Context Path for a subdirectory
Date Mon, 03 Dec 2012 23:50:18 GMT
Leo Donahue - RDSA IT wrote:
> _______________________________________
> From: Christopher Schultz [chris@christopherschultz.net]
> Sent: Friday, November 30, 2012 8:13 PM
> To: Tomcat Users List
> Subject: Re: Context Path for a subdirectory
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Leo,
> 
> On 11/30/12 5:52 PM, Leo Donahue - RDSA IT wrote:
>> Ok, so before I upgraded to Tomcat 7.0.33 to use the container
>> supplied remote address filter, what were my options to restrict
>> access to just a subdirectory of a web app in Tomcat 6.0.35?
> 
> Please remember that you aren't protecting a directory. Ever. You are
> protecting a url-pattern and nothing more. 
> - -chris
> 
> 1st, sorry for the format, I'm on vacation and webmail doesn't format replies the way
I'd like.
> (sorry chuck, not taking your advice from before on getting out more.  maybe tomorrow...)
> 
> I have heard this before, and now I'm beginning to understand why I keep hearing this
same comment.  I now realize my choice of words in describing what I was trying to do leads
to this comment.
> 
> As many times as I've heard, "you're not protecting a directory, and some other people
use the phrase 'resource'..." I always thought that there was some trick to getting by the
url-pattern that no one wanted to mention.
> 
> As far as the URL vs directory, the server is pretty locked down - so I'm told, and the
IP I use is the IP of the host.  
> 
> Ultimately I wanted to restrict access to the URL /rest/admin to requests made by the
local host only to that URL.
> 
> webapps
>   rest
>     www
>       admin
> 

Ok, so the way I would go about it, taking into acount my limited knowledge about webapp'

"security constraints" and the like, but having written at least one servlet filter before
:

1) your webapp is the "rest" webapp
2) inside that webapp, the url category which you want to protect against accesses by 
other client IP's than "localhost" is : "/www/admin" and "/www/admin/*".
(The "/rest" part falls off, because you are already inside of it).
3) you can for that write your own servlet filter, or use an existing one : see 
http://www.tuckey.org/urlrewrite/
4) the basic plan is to insert a servlet filter into your "webapp stack", which filter 
will only be active (inserted in the request processing chain) when a URL of the type in 
item (2) above is involved; and it will not be activated and play no role in other cases 
(e.g. for URL paths outside of /rest/www/admin) (*)
5) you configure this in the web.xml of your webapp (../webapps/rest/WEB-INF/web.xml) 
exactly as shown on the webpage indicated above, except for
<filter-mapping>
...
   <url-pattern>/www/admin<url-pattern>
   <url-pattern>/www/admin/*<url-pattern>
...
</filter-mapping>
(*)

The UrlRewriteFilter is probably a bit "heavy-duty" for the simple filtering which you 
want. But at the same time, it is well-written, well-tested, optimised, and you will 
probably benefit from knowing it, as it can do *much* more than what you need here.

Writing your own filter is not very difficult, but if you have not done it before there 
are some particular aspects that need a bit of getting used to (such as for instance that

the request object is immutable, and thus to modify the request - which you do not need 
here - you need to "wrap" it into your own version of it, and modify that one).
This being said, it's fun.


(*) I mean that it is the container that does the inserting or not of the filter, 
depending on these <url-pattern> lines, you do not have to take care of that.
Inside of your filter code, you just filter every request you get our hands on,since you 
know that your code is only called when the request URL matches.

And sorry if you knew all that already. It just did not sound that you were too sure.

P.S. If you decide to use UrlRewriteFilter, you should be looking at the documentation 
(http://urlrewritefilter.googlecode.com/svn/trunk/src/doc/manual/4.0/index.html), and at
a rule using this in the <from> part :

remote-addr :
	The IP address of the host making the request, e.g. 123.123.123.12
i.e. request.getRemoteAddr()
(you probably want to negate this, and check for "not (127.0.0.1 or ::1)")

and probably this in the <to> part :
forward (default) :
	Requests matching the "conditions" for this "rule", and the URL in the "from" element 
will be internally forwarded to the URL specified in the "to" element. Note: In this case

the "to" URL must be in the same context as UrlRewriteFilter. This is the same as doing:
RequestDispatcher rq = request.getRequestDispatcher([to value]);
rq.forward(request, response);
(to forward the miscreants to a no-no page of your choice.)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message