6 Replies Latest reply on Sep 6, 2005 6:00 PM by kkleist

    RemoteAddrValve Problems

    kkleist

      I'm having some trouble getting RemoteAddrValve/RemoteHostValve working at the host level. It is a must-have for our client to conceal JBoss/Tomcat to the extent possible, including but not limited to disallowing log-in attempts to sensitive pages/applications; therefore, I want to use a valve to deny access to these apps except from the localhost and a few other select IP's.

      I've read all the JBoss4/Tomcat5 documentation regarding these valves and visited various resources on the web. I must be dumb as a rock, but I'm still somewhat confused as to how this is supposed to be configured.

      Where exactly in an embedded Tomcat instance should the "context.xml" file(s) be placed? Please don't tell me in WEB-INF of each of the protected resources. This is supposed to be a host level deal; it seems insane to include context.xml in each of my WARs.

      Any hints, tips or explanations are greatly appreciated.

      Thanks.

        • 1. Re: RemoteAddrValve Problems

          You can declare valves in deploy/jbossweb-tomcat55.sar/server.xml within the host section (should apply to all contexts for that host).

          If the valve must be within a context, then try deploy/jbossweb-tomcat55.sar/context.xml.

          • 2. Re: RemoteAddrValve Problems
            kkleist

            Thanks Andy, but your recommendation runs contrary to the Tomcat documentation. Please see the following page:

            http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/context.html

            I've also tried dropping 'context.xml' into different directories including the one you recommend but it still doesn't seem to work.

            So I question myself:

            1) is the content of my 'context.xml' file correct (eg, all that's in there is a single description, nothing else)

            2) Does this feature even work?

            3) In the case of an JBoss embedded Tomcat, where is CATALINA_HOME and is this variable even needed?

            The documentation is somewhat vague about the way the valve is configured, and the JBoss documentation specifically says as much.

            //Kurt

            • 3. Re: RemoteAddrValve Problems

              I'm not suggesting you place context elements in server.xml. Follow the example at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/host.html to add the valve at the host level.

              This way, you don't need to mess with context.xml at all.

              In server.xml, you would have something like this:

              <Server>
               ...
               <Engine ...>
               ...
               <Host ...>
               ...
               <Valve className="org.apache.catalina.valves.RemoteHostValve"
               allow="*.mycompany.com,www.yourcompany.com"/>
               <Valve className="org.apache.catalina.valves.RemoteAddrValve"
               deny="192.168.1.*"/>
               ...
               </Host>
               </Engine>
              </Server>
              

              These valves are defined in the Host section, not within Context. The docs claim this is allowed.

              • 4. Re: RemoteAddrValve Problems
                kkleist

                So maybe we're not discussing the valve at the same level. I need to leave some app open to the world and secure others. The docs describe doing this using a context. I have tried everything the docs have suggested and I come to the conclusion that: 1) the docs are wrong or intentionally ambiguous, or 2) request valves do not work for the scope of a oontext.

                "Please note that for tomcat 5.x, unlike tomcat 4.x, it is NOT recommended to place elements directly in the server.xml file. Instead, put them in the META-INF/context.xml directory of your WAR file or the conf directory as described above. "

                ... and while describing a request vavle ...

                <Context path="/examples" ...>
                ...


                ...


                //Kurt

                • 5. Re: RemoteAddrValve Problems

                  Now I'm confused.

                  I'm having some trouble getting RemoteAddrValve/RemoteHostValve working at the host level.

                  Please don't tell me in WEB-INF of each of the protected resources. This is supposed to be a host level deal;

                  If you want to protect different contexts differently, then it sounds like you will need to create a context.xml for each webapp and place it in WEB-INF. Can you post your context.xml files?

                  • 6. Re: RemoteAddrValve Problems
                    kkleist

                    Ouch. My bad. In my original post I should have written "context" and not "host". Sorry for the confusion.

                    The context file I've been using to test/prove is very simple. It contents is (IPs and names changed to protect the innocent):

                    <context path="/bob/admin">
                     <valve classname="org.apache.catalina.valves.RemoteAddrValve" deny="130.107.xxx.xxx"/>
                     <valve classname="org.apache.catalina.valves.RemoteHostValve" deny="bluefish.bob.com"/>
                    </context>