Tomcat: Restrict access to localhost for /just one/ webapp

security tomcat webserver tomcat6
Bosh picture Bosh · Mar 7, 2011 · Viewed 26.9k times · Source

I'm running Tomcat 6 to serve several web apps, most of which are public-facing. But I'd like to restrict access to just one webapp, allowing connections only from localhost.

I can restrict access for all webapps using a valve in context.xml, as described in:

But I can't figure out how to restrict access on a per-app basis. Is there a way to do this with my app's web.xml? Or by adding additional rules to context.xml?

Thanks,

-B

Recapping Solution:

$ cp /var/lib/tomcat6/conf/context.xml \ 
   /var/lib/tomcat6/conf/Catalina/localhost/my-app-name.xml

$ cat /var/lib/tomcat6/conf/Catalina/localhost/my-app-name.xml

<Context>
    <Valve className="org.apache.catalina.valves.RemoteHostValve" allow="localhost"/>
... {as previously} ...
</Context>

Answer

Dmitry Negoda picture Dmitry Negoda · Mar 7, 2011

You can create an individual context.xml for you app.

This is an excerpt from Tomcat doc on context configuraion: Context elements may be explicitly defined:

  • In the $CATALINA_HOME/conf/context.xml file: the Context element information will be loaded by all webapps. In the $CATALINA_HOME/conf/[enginename]/[hostname]/context.xml.default file: the Context element information will be loaded by all webapps of that host.
  • In individual files (with a .xml extension) in the $CATALINA_HOME/conf/[enginename]/[hostname]/ directory. The name of the file (less the .xml) extension will be used as the context path. Multi-level context paths may be defined using #, e.g. foo#bar.xml for a context path of /foo/bar. The default web application may be defined by using a file called ROOT.xml.
  • Only if a context file does not exist for the application in the $CATALINA_HOME/conf/[enginename]/[hostname]/; in an individual file at /META-INF/context.xml inside the application files. If the web application is packaged as a WAR then /META-INF/context.xml will be copied to $CATALINA_HOME/conf/[enginename]/[hostname]/ and renamed to match the application's context path. Once this file exists, it will not be replaced if a new WAR with a newer /META-INF/context.xml is placed in the host's appBase.

Related questions

Using Apache httpclient for https

I have enabled https in tomcat and have a self-signed certificate for server auth. I have created an http client using Apache httpClient. I have set a trust manager loading the server certificate. The http client can connect with server …

Read More
Imported certificate to Java keystore, JVM ignores the new cert

I'm trying to get an application running on top of Tomcat 6 to connect to an LDAP server over SSL. I imported certificate of the server to keystore using: C:\Program Files\Java\jdk1.6.0_32\jre\lib\security>keytool -importcert -trustcacerts …

Read More
How can I restrict access to certain URLs by source IP in Tomcat?

I want to restrict access to certain URLs in my Tomcat webapp. Only 3 known IP addresses should be allowed access to URLs that fit a certain pattern. e.g. http://example.com:1234/abc/personId How can I achieve this?

Read More