tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: Prevent Outbound connections from WebApplication
Date Fri, 30 Sep 2016 07:28:37 GMT
On 30.09.2016 09:07, Harneet Singh wrote:
> Hello All,
>
> I have a java application which is hosted in Tomcat 7.0.62.
> As part of business logic the code sometimes connects to remote hosts and
> downloads resources.
> Is there a way I can specify a whitelist using the Tomcat configuration?
>
> Means I only want my application to be able to fetch data from
> www.google.com but any request going from my web application hosted in the
> my Tomcat needs is to be denied for any of the other hosts.
>
> I know the workaround can be I configure the firewall on the machine to
> deny any such requests, but that would be operating system specific and I
> would like to acheive this using Tomcat configuration, without changing my
> code.
>
> Thanks again for reading this and trying to help :)
>

Tomcat itself is unaware of any outgoing connections that a webapp may make, so there is 
no way in Tomcat itself to control this.

But the Java JVM which runs Tomcat (and thus the webapp) is aware of such connections.
So maybe you should look at starting Tomcat under the Java Security Manager, and check 
which options are available there ?  That is portable, because it is a JVM option which 
should work the same way everywhere.

Look in the file "(tomcat-dir)/conf/catalina.policies" for examples, like :

// The permission granted to the scrape taglib
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";

Note that enabling the security manager may have other effects on your applications, so 
you should test this comprehensively before enabling it just for your one application.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message