Tomcat is one of the most powerful webserver for implementing Java applications. As an administrator, you may need to restrict access to your webserver and practically you have got lots of options to achieve this requirement. However, One of the easiest ways to allow or deny access to Tomcat is via Remote Address filter of Tomcat valves component. You can achieve it by adding following component to your server.xml file:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" Attribute" />
According to Apache Tomcat documentation, Remote Address has following attributes:
- allow
- deny
- denyStatus
- addConnectorPort
- invalidAuthenticationWhenDeny
Allow Certain IP Addresses:
For example, if you want to allow IP x.x.x.x , y.y.y.y and subnet of z.z.z.* you need to add following:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="x.x.x.x,y.y.y.y,z.z.z.*" />
Above configuration forces Tomcat to allow clients with these specific IP addresses only.
Allow localhost to access via default port while other addresses are accessible via 1234:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
addConnectorPort="true"
allow="127\.\d+\.\d+\.\d+;\d*|::1;\d*|0:0:0:0:0:0:0:1;\d*|.*;1234"/>
With above configuration, localhost (127.0.0.1) is able to access tomcat via default connector port while all other users are accessing tomcat via port 1234.
In this example, addConnectorPort configured as true and it means, tomcat compares allowed IP addresses against IP:PORT where IP is the client IP and PORT is the Tomcat connector port.
Note:
- If you are using DHCP, this configuration may not be suitable for you since your IP Address may change via DHCP.
- If your application is integrated with other applications, you need to ensure that IP Address of those applications is listed in Tomcat. Otherwise, they are not able to communicate.
- You are able to add Regex instead of individually adding IP Addresses