Limiting client access using Tomcat (Engine, Host, or Context level)
If you want to limit client access at a high level such as the entire server, you will use a Tomcat valve.Tomcat has two valves that will filter traffic based on the clinet's IP address. They are the RemoteAddrValve and the RemoteHostValve
. Both of these valves are extended from RequestFilterValve
.
For a discussion of how to configure Tomcat valves see http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/index.html.
To configure Tomcat in JBoss, you will need to either edit server.xml or jboss-service.xml based on JBoss version.
- For JBoss 3.2.4 and higher server.xml is found in <jboss install dir>/server/<configuration>/deploy/jbossweb-tomcat50.sar
- For JBoss 3.2.3 and lower jboss-server.xml is found in <jboss install dir>/server/<configuration>/deploy/jbossweb-tomcat41.sar/META-INF
Limiting client access using a servlet filter (Servlet or url-pattern level)
If you want to limit client access to a particular servlet or to requests that match a url pattern, you can use the servlet filter attached to this page. This requires JDK 1.4 or higher.To install, place the attached jar in your WEB-INF/lib directory. If you want to use it in multiple web applications then you can instead put it in your <jboss install>/server/<configuration>/lib directory.
There is also an attached example web.xml file that shows how to configure the filter. The main part to look at is the filter definition:
<filter> <filter-name>RemoteHostFilter</filter-name> <filter-class>org.jboss.remotehostfilter.RemoteHostFilter</filter-class> <init-param> <param-name>deny</param-name> <param-value>150.0.0.*</param-value> </init-param> <init-param> <param-name>allow</param-name> <param-value>192.4.5.6,127.0.0.*</param-value> </init-param> </filter>
This filter is configured by setting the "allow" and/or "deny" properties to a comma-delimited list of regular expressions(in the syntax supported by the java.util.regex package) to which the client IP address will be compared.
Evaluation proceeds as follows:
- If there are any deny expressions configured, the IP will be compared to each expression. If a match is found, this request will be rejected with a "Forbidden" HTTP response.
- If there are any allow expressions configured, the IP will be compared to each such expression. If a match is NOT found, this request will be rejected with a "Forbidden" HTTP response.
- Otherwise, the request will continue normally.
Attachments: