Enterprise Architecture & Integration, SOA, ESB, Web Services & Cloud Integration

Enterprise Architecture & Integration, SOA, ESB, Web Services & Cloud Integration

Thursday, 6 November 2014

Tomcat authentication using Remote Address Filter / Remote Address Valve



Remote Address Filer or Remote Address Valve lets you to check the remote machine IP address and decide whether to allow or deny access. This is really useful when you want to enforce system to system authentication. Filter is nothing but an interceptor which will be used by Tomcat server to check if remote server can access the application. For more information, you can check the original documentation at http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter. In this post, I am trying to explain the power of regular expressions in configuring IP addresses in allow or deny attribute.

 1. A sample valve configuration that allows access only to localhost is:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>

2. The "allow" attribute can take comma separated values to support configuring more than one remote IP address. This is useful when you have a few IP addresses. If you need to configure a big list of IP addresses, this is going to be tough for you. In this case, you can configure the filter with wild card character to allow (or deny) multiple IP addresses. Sample is as below:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="10.110.156.*"/>
The above will allow from 10.110.156.0 to 10.110.156.255.

3. Alternatively, Tomcat server allows you to use regular expression to have fine control on the way IP addresses are being configured. Look at the below examples:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="10\.110\.156\.\d{1,3}"/>
The above will allow IP addresses from 10.110.156.0 to 10.110.156.999. This is almost similar to output of wildcard example shown above.

4. You may want to still fine tune the values.
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="10\.110\.156\.[1-2][0-9]"/>
The above will allow IP addresses from 10.110.156.10 to 10.110.156.29 only.

So it is really up to how you write regular expression to achieve proper filtering of IP addresses. This link http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html can provide more detailed information on regular expressions.

Happy securing tomcat server!


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)