Restricting access in Tomcat/JBoss

Today’s post is reposting some information I found recently while researching an issue.

I’m configuring a product that is going to be incorporated into a production website.  For security reasons, we would like to restrict access to the login page, as it should only be available to our own sites.

Unfortunately, this product is build on top of JBoss, which uses the Tomcat web application server.  What should be a relatively simple task is no longer simple.

In IIS or Apache, it’s trivial to put up restrictions on any directory or page you want.  Tomcat doesn’t work that way.

If I want to restrict access to an entire web application, I can do so by adding the RemoteAddrValve into the context.xml file

<Valve className="org.apache.catalina.valves.RemoteAddrValve" 

However, that would break the functionality we’re looking for.

So, after a bit of digging, it turns out in order to do this, you have to write your own Java code (or find someone who’s already done it), and incorporate it as a filter in the web.xml file of your site.

Luckily someone has already written the code.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s