Remote Address Filer or Remote Address Valve lets you to
check the remote machine IP address and decide whether to allow or deny access. This
is really useful when you want to enforce system to system authentication. Filter
is nothing but an interceptor which will be used by Tomcat server to check if
remote server can access the application. For more information, you can check the original documentation at http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter. In this post, I am trying to explain the power of regular expressions in configuring IP addresses in allow or deny attribute.
1. A sample valve configuration that allows access only to
localhost is:
<Valve
className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.0.0.1"/>
2. The "allow" attribute can take comma separated values to
support configuring more than one remote IP address. This is useful when you
have a few IP addresses. If you need to configure a big list of IP addresses,
this is going to be tough for you. In this case, you can configure the
filter with wild card character to allow (or deny) multiple IP addresses.
Sample is as below:
<Valve
className="org.apache.catalina.valves.RemoteAddrValve"
allow="10.110.156.*"/>
The above will allow from 10.110.156.0 to 10.110.156.255.
3. Alternatively, Tomcat server allows you to use regular expression to have fine
control on the way IP addresses are being configured. Look at the below
examples:
<Valve
className="org.apache.catalina.valves.RemoteAddrValve"
allow="10\.110\.156\.\d{1,3}"/>
The above will allow IP addresses from 10.110.156.0 to
10.110.156.999. This is almost similar to output of wildcard example shown
above.
4. You may want to still fine tune the values.
<Valve
className="org.apache.catalina.valves.RemoteAddrValve"
allow="10\.110\.156\.[1-2][0-9]"/>
The above will allow IP addresses from 10.110.156.10 to
10.110.156.29 only.
So it is really up to how you write regular expression to
achieve proper filtering of IP addresses. This link
http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html can
provide more detailed information on regular expressions.
Happy securing tomcat server!