Return-Path: 
 <users-return-243636-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 6B23D107EB
	for <apmail-tomcat-users-archive@www.apache.org>;
 Fri, 13 Sep 2013 16:11:07 +0000 (UTC)
Received: (qmail 81501 invoked by uid 500); 13 Sep 2013 15:51:48 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 73258 invoked by uid 500); 13 Sep 2013 15:49:06 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 66599 invoked by uid 99); 13 Sep 2013 15:27:42 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Sep 2013 15:27:42 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [134.68.171.23] (HELO mhw.ulib.iupui.edu) (134.68.171.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Sep 2013 15:27:37 +0000
Received: from mwood by mhw.ulib.iupui.edu with local (Exim 4.80.1)
	(envelope-from <mwood@IUPUI.Edu>)
	id 1VKVH9-0008Rt-85
	for users@tomcat.apache.org; Fri, 13 Sep 2013 11:27:15 -0400
Date: Fri, 13 Sep 2013 11:27:15 -0400
From: "Mark H. Wood" <mwood@IUPUI.Edu>
To: users@tomcat.apache.org
Subject: Re: problem with Remote Address Filter
Message-ID: <20130913152715.GE14597@IUPUI.Edu>
References: 
 <CAB+f9r+EBCcSxCN3V95OHGppv-HbYa=SSXvWrKrqnkX1CAn1zA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="tNQTSEo8WG/FKZ8E"
Content-Disposition: inline
In-Reply-To: 
 <CAB+f9r+EBCcSxCN3V95OHGppv-HbYa=SSXvWrKrqnkX1CAn1zA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Virus-Checked: Checked by ClamAV on apache.org

--tNQTSEo8WG/FKZ8E
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 12, 2013 at 01:14:58PM -0700, Garey Mills wrote:
>     I'm running Apache Tomcat Version 7.0.29. I have inserted a Remote
> Address filter into server.xml inside of the <Host> tag. It is not blocki=
ng
> addresses that are not in <Allow>.

That's probably because Filters don't go there.  They are configured
in web.xml.

http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Introduction

See RemoteAddrValve for a component that can be configured in
server.xml or an external Context descriptor.

http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Fi=
lter

>     I am using the Remote Address filter because I want to allow access
> only to addresses in our institution's community. This is a large
> institution and we have 4 or 5 class B address ranges, maybe 10 class Cs,
> and a number of broken ranges. The regular expression runs to 8181
> characters without doubling up on \. It does, however, work in a test Java
> class that I wrote, correctly allowing and disallowing a test group of
> addresses.
>=20
>     One question I have is that the example in
>=20
>=20
> http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Address=
_Filter
>=20
> has single backslashes, but in order to make the pattern work in my test
> class, I had to double up on the slashes. I took a look at the
> RequestFilter code, and it looks like the pattern string is just passed to
> Pattern.compile, so the pattern in the filter should need double slashes.
> I've tried it both ways and neither worked.

If you are calling the filter from Java code, you probably are passing
it the pattern in a String constant.  The double backslashes are needed to
get single backslashes into the content of the String, because they are
string escapes in Java and must themselves be escaped.

The Tomcat configuration files are not Java and the conventions are
different.  Single backslashes work just fine for me with the
RemoteAddrValve, and I don't see why they should not work in
configuring the RemoteAddressFilter.

--=20
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Machines should not be friendly.  Machines should be obedient.

--tNQTSEo8WG/FKZ8E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)

iEYEAREIAAYFAlIzLtMACgkQs/NR4JuTKG+zkACeLtdkXs+9hy0zVorFg3GeYyXq
Ik8AoIJz4bRKGcebAlGtfuBBEbagedVl
=OvRd
-----END PGP SIGNATURE-----

--tNQTSEo8WG/FKZ8E--