aspose file tools*
The moose likes Tomcat and the fly likes allow requests from a certain url with remote host filter Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "allow requests from a certain url with remote host filter" Watch "allow requests from a certain url with remote host filter" New topic
Author

allow requests from a certain url with remote host filter

Bram van Rooij
Greenhorn

Joined: Sep 09, 2011
Posts: 4
Hello,
I am running geoserver in tomcat. I want to restrict access to the geoserver in such a way that only requests from my website get served.
Maybe this is where I'm going wrong, but as far as I understand I can do this in the server.xml and add a remote host filter. But since this is not working, I'm starting to have doubts whether this does what I think it does.
I got it working with a remote address filter, but not with a remote host filter...

So: Can I allow requests from a certain url with a remote host filter? And if so, does anybody have a clue what I could be doing wrong? I can elaborate on what I've done, but maybe the answer to my first question will make the 2nd question redundant...

I know this must be an absolute noob question, but I will get a headache soon, sinc:

Thanks for your help!
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15641
    
  15

Welcome to the JavaRanch, Bram!

If you want to keep outsiders out of your upstream geoserver, the best way to do that is to protect the geoserver itself. Assuming that it's not a Tomcat server, that would normally be done via one or more of the following:

1. Keep the geoserver out of direct public view. Behind a firewall and/or a DMZ, just as you would do for databases.
2. Set access rights on the geoserver itself. This is done via the access control mechanisms native to whatever server application hosts the geoserver (for example Apache httpd).

Nitpick: you don't make requests from a URL, you make them for (to) a URL. A URL is more than just a hostname, and in fact, hostnames are optional, since the first thing the client does is use the system's Name Resolution Services to convert the target hostname to an IP address.

Hostname filtering on the client is a different matter, and it's not concerned with URLs. When you set up a hostname filter, the server will use reverse name resolution to convert the incoming request's source IP address to a host and domain name which it then matches up against the hostname pattern list. Hostname filtering carries a lot more overhead than IP address filtering, since the reverse name resolution often means having to make a DNS server request to get the hostname for the IP address. Depending on the server software in use and its option settings, this may be more of a one-time hit, since the server can cache this hostname if it wants.

You really wouldn't want to believe hostnames sent directly as part of an incoming request. That kind of stuff is easy to spoof. The reverse name resolution approach is much safer, since tcp/ip can only return responses to a valid ip address.


Customer surveys are for companies who didn't pay proper attention to begin with.
Bram van Rooij
Greenhorn

Joined: Sep 09, 2011
Posts: 4
Hello Tim,

Thanks for you welcome and your quick reply.
I'm fairly new to all of this, so sorry if I'm confusing some terms and stuff...

I'm not sure if I made myself clear enough (or that I understood you).
Geoserver is deployed as a war.file in Tomcat. So Tomcat hosts my geoserver. What I've tried to do in the server.xml is:
<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="www.example.com/after-login/map"/>

My website is done in Drupal, there's a public part and a part that requires a username and password. What I hoped to do is that the geoserver would only serve to www.example.com/after-login/map. The only way to reach the map is to log in.

Do I understand correctly that RemoteHost (in the valve thingy) is not an URL?

Thanks for your help (and patience )
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15641
    
  15

Yep. The remote host is only the "www.example.com" part. Even the port ID (if given) isn't the host ID. And, like I said, a URL goes to something, not from it.
Bram van Rooij
Greenhorn

Joined: Sep 09, 2011
Posts: 4
Yeah, I understood a URL goes to something. I was looking at it the wrong way. I should have said the geoserver should only accept requests coming from certain url's. My mistake!

I tried to use the hostname, but then it blocks the geoserver... I tried using example.com, www.example.com and http://www.example.com but nothing worked... My website (and hostname) has a - in the name, I tried \ it, but to no use...
I'm a bit puzzled...

(You mentioned using apache for security. Would that be using a .htaccess file?)

Thank you!
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15641
    
  15

You're still looking at it the wrong way. A URL has the [b]destination[/i] server in it - meaning in your case the geoserver, not the source server. An HTTP[S] request MAY also carry a remote-host header, but those can be spoofed, and in any event the RemoteHostValve isn't going to be looking at the content of the request, only its source.

You can configure Tomcat to only accept traffic coming from "www.example.com". You can configure the geoserver to only accept URLs that are in the form "/after-login/map" if you have the ability to modify the webapp itself. To otherwise limit the request portion of the URL means adding a request filtering valve or fronting Tomcat with Apache or some other proxy that can be programmed to discriminate against incoming URL requests - although for a backend server that's a bit overkill.

But you can't setup Tomcat or any other webserver - Java or not - to forbid incoming requests from www.myclient.com/after-login/map because HTTP doesn't even create such things. The URL is always the target, not the source. That's why it's a Uniform Resource Locator.
Bram van Rooij
Greenhorn

Joined: Sep 09, 2011
Posts: 4
Ah, gotcha!

I'm going to look into your answers.
Although I still cannot get tomcat to only accept traffic from my site...

Thanks for your help, and I will get back on this!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: allow requests from a certain url with remote host filter
 
Similar Threads
Some images returning 404 (file not found) when starting second Tomcat instance
Internet requests to Tomcat
NX: Keep server running
How to redirect through filter chain
Internet requests to Tomcat