Tomcat: Revisiting IP Access Restriction

This is another in my series of short posts on configuring Tomcat as I get a Tomcat/ACF10 development environment configured. For a bit of background, see the first post in the series.

We took a quick look earlier at restricting access to my Tomcat server based on the IP address from which the request originated. In that first take, we used Tomcat’s Remote Address Valve component to restrict access to just requests from the local system. In that post, I indicated we would probably look at this subject again in the future. Here’s my second look… and I know we have at least one more coming.

One of the first items I plan on digging into with ACF10 is how it deals with IPv6. As I started poking around the edges of this, I discovered two things that merited further investigation:

  1. Requests to my local server with an IPv6-based URI (e.g., http://[::1]:8501/sample.cfm) were being blocked despite the inclusion of the IPv6 versions of the local server address (i.e., ::1 and 0:0:0:0:0:0:0:1) in our earlier Valve-based set of allowed addresses, and
  2. I was not seeing my custom 403 error page that I expected, based on my earlier work to configure one

To figure out what’s going on with the second of those two items, let’s look at where the addressed-based restrictions were implemented vs. where the custom error pages were configured:

  • My Valve-based address restrictions were implemented within the Host element in ./cfusion/runtime/conf/server.xml
  • My custom error pages were configured in the web-app element within ./WEB-INF/web.xml

It’s not too big a leap to see that the two items are configured at two different levels within the overall configuration of Tomcat and the ColdFusion Web application. This is one of those places I’ve bumped into the “there is more than one way to get there” aspect of Tomcat. Tomcat also provides a Remote Address Filter which provides the same functionality as the valve we used in our first run at this. As a filter, it is configured for the Web application (i.e., at the same level as our custom error pages) so it made sense this might address problem #2 from above.

Add the following filter specification to ./WEB-INF/web.xml as the first filter:

<filter>
   <filter-name>Remote Address Filter</filter-name>
   <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
   <init-param>
      <param-name>allow</param-name>
      <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
   </init-param>
</filter>
...

Add the following filter-mapping specification to the same file as the first such mapping:

<filter-mapping>
   <filter-name>Remote Address Filter</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>
...

Remove the corresponding Valve specification from ./cfusion/runtime/conf/server.xml. Bounce the server and verify that the custom error pages are still being served appropriately.

In my next post, we’ll figure out what’s going on with IPv6-based URI’s and why we’re still being blocked (although now we at least get our custom error page). And as noted above, we’ll revisit this whole subject of address-based access restrictions at least one more time in the future.