Tomcat: An IPv6 Address Filtering Gotcha

This is another in my series of short posts covering my efforts to stand up a Tomcat/ACF10 development environment. For background, see the first post in the series.

In my previous post, I revisited allowing access to pages served up by Tomcat to just requests originating from the local system. In that post, we looked at use of Tomcat’s Remote Address Filter in order to have any denied requests be provided with a custom error page. As I noted, however, when I tried to access my Tomcat server via an IPv6-based URI (e.g., http://[::1]:8501/test.cfm), my request was being denied even though I had configured the filter to allow access to requests from the following addresses (specified via regex):

  • 127\.\d+\.\d+\.\d+
  • ::1
  • 0:0:0:0:0:0:0:1

Given the second and third of those address specifications, I would have expected my request to have been allowed. This is where having access logs configured comes in handy. Those logs showed these requests coming from 0:0:0:0:0:0:0:1%0 and being denied. OK… what’s with that trailing “%0”?

A bit of digging and I had my answer: the IPv6 address specification includes something called “scopes” that may be present. That “%0” is the default scope and (as the default) is optional. The RFC for these scopes is pretty fuzzy, so for now will allow for an optional non-negative decimal integer for the scope (per the RFC) and if we ever end up with something else (which the RFC indicates is possible) we will revisit this. We will update our regexes to account for the possible presence of the scope:

  • 127\.\d+\.\d+\.\d+
  • ::1(%\d+)?
  • 0:0:0:0:0:0:0:1(%\d+)?

Update the list of address regexes in the filter definition, bounce the server, and Tomcat should now allow requests when invoked with an IPv6-based URI. Now we can get back to looking at the extent to which ACF10 supports IPv6.

A final thought on this: you may or may not encounter this, as I have the distinct impression this behavior is a function of the environment (at least the OS and/or the JDK under Tomcat). I’ve blogged it simply because I tripped over it.