Today’s post is reposting some information I found recently while researching an issue.
I’m configuring a product that is going to be incorporated into a production website. For security reasons, we would like to restrict access to the login page, as it should only be available to our own sites.
Unfortunately, this product is build on top of JBoss, which uses the Tomcat web application server. What should be a relatively simple task is no longer simple.
In IIS or Apache, it’s trivial to put up restrictions on any directory or page you want. Tomcat doesn’t work that way.
If I want to restrict access to an entire web application, I can do so by adding the RemoteAddrValve into the context.xml file
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
However, that would break the functionality we’re looking for.
So, after a bit of digging, it turns out in order to do this, you have to write your own Java code (or find someone who’s already done it), and incorporate it as a filter in the web.xml file of your site.
Luckily someone has already written the code.