Thursday, 10 December 2015

Tomcat host based whitelisting

This is how to white list based on host names in tomcat.
you need to use RemoteHostValve in server.xml in the HOST container.
below is how it looks:


<Valve className="org.apache.catalina.valves.RemoteHostValve"
                    deny="^(?!(sherif\.tot\.corp\.com|ashraf\.co\.corp\.com|.*\.help\.corp\.com|.*\.corp\.com)).*$"
                    />

for this to work correclty, you need to enable lookups in the Tomcat connectors:

 <Connector acceptCount="100"
                   URIEncoding="UTF-8"
                   connectionTimeout="20000"
                   executor="tomcatThreadPool"
                   maxKeepAliveRequests="15"
                   port="${bio.http.port}"
                   enableLookups="true"
                   protocol="org.apache.coyote.http11.Http11Protocol"
                   redirectPort="${bio.https.port}"/>

The above will allow hosts mentioned to access the tomcat, any other hosts will be denied.
Wild cards are allowed as in the last 2 entried.
Oring happens using "|" (pipes) and the RegEx is java RegEx so take care since it is not same as standard Unix RegEx.

No comments:

Post a Comment