0

Hi my new problem is as follows: I have a web application running on Tomcat 6.0.x, it's behind an Apache HTTPD reverse proxy, there are other machines behind it one of the supposed to communicate with a certain web service (http://bla.com/restricted/stuff/...) while users(that connect from the internet side of the reverse proxy) and other machines should not be able to invoke those methods, preferably not even to know they exist.

  1. Well I know I could use RemoteAddrFilter and filter the IP and although it's spoof-able it could be "close enough" but unfortunately I'm stuck with version 6 of Tomcat.
  2. If I had complete freedom I could setup this service on a different port and then just use iptables to restrict it but unfortunately it has to be same instance of Tomcat and same web application and I am not familiar with a way to restrict a connector to certain areas in a web app.
  3. The application manages it's own security system which cannot be used for authenticating the "caller machine" for "historical" reasons that said making several security constraints is fine but specification here says that one can have only one login-config element so even if I write a different constraint for the restricted URLs I will not be able to block it by requiring a user certificate for example(thus identifying the calling machine) because I already have a login-config.

This more of a "how to do it best" question rather then "I don't know how to do it" because there are plenty of hacky ways to set this up but we don't want to slip to the dark side now do we?

I must say I did try to research the subject but I haven't found any obvious solutions and yet if I missed something elegant and obvious I will be more then happy to hear about it(non trivial solutions are very welcome too :) ) , so thanks for any ideas.

Scis
  • 2,934
  • 3
  • 23
  • 37

1 Answers1

0

Is it possible for the machines that need to call the "restricted" service to do so by talking directly to the tomcat service at http://example.internal:8080/restricted rather than using the reverse proxy? If so then the simplest method would be to set up the proxy so it does not pass through the restricted URIs at all, which would make it impossible for outside callers to access them.

Ian Roberts
  • 120,891
  • 16
  • 170
  • 183
  • Let's say I don't have full control over the reverse-proxy server and I'm not really happy about "outsourcing" security to other applications (like the iptables idea) let alone other servers. This suggestion did come up but again we don't like it...thanks anyway :) – Scis Jul 05 '12 at 08:25
  • In which case the `RemoteAddrValve` approach is probably going to be the best you can do (re your point 1 this _is_ available in Tomcat 6 as well as 7) – Ian Roberts Jul 06 '12 at 16:24
  • http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Address_Filter is the Tomcat documentation for the `RemoteAddrValve` in Tomcat 6. – Ian Roberts Jul 06 '12 at 16:33
  • I've seen the valve thingy too, the problem is that it's either context,host or engine-wide and I'm trying to block just specific URLs so this wouldn't cut it.sorry... – Scis Jul 08 '12 at 05:13
  • I see what you mean. Well while it's true that Tomcat 6 doesn't provide an IP address filter out of the box, it's pretty simple to write your own, or use an example such as [this one](http://www.java2s.com/Code/Java/Servlets/IPFilter.htm). – Ian Roberts Jul 08 '12 at 11:19
  • Already have written one before but felt it's hacky to supply security features on this level with my application... – Scis Jul 10 '12 at 07:23