How to restrict access by IP address with Tomcat?

Question

Does anyone know if Tomcat can restrict access to certain application by IP address (like Apache's .htaccess)?

score 27 · Accepted Answer · answered Aug 01 '10 at 09:58

27

You add a Valve to the Context in context.xml (specifically, org.apache.catalina.valves.RemoteAddrValve). See the docs on Remote Host Filters.

answered Aug 01 '10 at 09:58

skaffman

398,947
96
818
769

score 26 · Answer 2 · edited Jul 03 '14 at 13:27

26

This is an example:

in \apache-tomcat-7.0.33\conf\server.xml:

<Engine name="Catalina" defaultHost="localhost">
    ...
    ...
    ...
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
        allow="10\.132\.77\.55|10\.132\.76\.120|10\.132\.77\.47"/>
    ...
</Engine>

edited Jul 03 '14 at 13:27

xehpuk

7,814
3
30
54

answered Dec 12 '12 at 13:00

Nimesh Chanchani

261
3
4

the config file can be in these directories also '/etc/tomcat8/server.xml' ' – user3338098 Jun 15 '15 at 19:11
this can be also used in securing manager and host-manager access. – Waleed Abdalmajeed Feb 27 '18 at 11:49

score 5 · Answer 3 · edited Feb 22 '18 at 15:05

5

In Tomcat 7, you can configure it in the web.xml.

If it's for all web apps, you can configure it in tomcat7/conf/web.xml, if it is just for one web app, you can configure it in the tomcat7/webapps/$(WEB_APP)/WEB-INF/web.xml, it's very convenient.

The configuration uses a RemoteAddrFilter filter, there is an example in Container Provided Filters.

edited Feb 22 '18 at 15:05

dur

15,689
25
79
125

answered Apr 13 '16 at 09:57

Ascatgz

319
3
6

score 2 · Answer 4 · edited Mar 11 '19 at 21:44

2

To set up access restriction to your web-application for the certain IP addresses, add the following strings to /opt/tomcat/webapps/{web-application name}/META-INF/context.xml file:

<Context antiJARLocking="true" path="/">
 <Valve className="org.apache.catalina.valves.RemoteIpValve" />
 <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="{IP_address}" />
</Context>

Here is the instruction how to do this via Jelastic panel. Be sure to restart your Tomcat for the changes to take effect.

edited Mar 11 '19 at 21:44

Simon Baars

1,877
21
38

answered Apr 27 '18 at 20:38

Tetiana

313
1
10

Thanks for this. I was looking how to restrict access for just a single webapp. By replacing "ROOT" by that specific webapp, it worked. Thanks for pointing to the great source! – Simon Baars Mar 11 '19 at 17:36
Oh by the way (for everyone trying this method), you have to restart your Tomcat instance for the IP restriction to take effect. Futhermore, you can replace `deny` by `allow` to only allow certain IP's rather than only blocking certain IP's. – Simon Baars Mar 11 '19 at 17:37
Thanks a lot! For 8.5.37, only this solution works. Unfortunately, all other solutions are missing the RemoteIpValve statement. – Md. Apr 22 '19 at 17:56

score 0 · Answer 5 · answered Jan 24 '19 at 09:11

0

in Tomcat 9,you can configure it in path:apache-tomcat-9.0.14\webapps\manager\META-INF\context.xml

answered Jan 24 '19 at 09:11

袁文涛

735
1
10
23

How to restrict access by IP address with Tomcat?

5 Answers5

Linked