All Places > JBoss AS > Installation, Configuration & Deployment > Discussions

Remoteaddrvalve Tomcat 8 Example

  1. The Tomcat source code /. Licensed to the Apache Software Foundation (ASF) under one or more. contributor license agreements. See the NOTICE file distributed with. this work for additional information regarding copyright ownership.
  2. And if you want to deny from only one ip and allow all other ip's use the following For.

Remoteaddrvalve Allow All

I'm looking for instructions on how to use RemoteAddrValve to protect web applications at the context level.
Using JBoss 4.0.2, two HTTP connectors - one LAN one Internet. & a.b.c.d:80
I want to allow access to the web-console, jmx, etc., and a custom admin console web-app from the LAN (remote-address will be 10.254.*) but disable it for Internet remote clients.
I've looked at Wiki articles and the Admin docs; they talk about it being possible at the Tomcat container level and simply link to Tomcat docs.
Following the instructions in those docs to create a per-context XML configuration hasn't met with success so far.
I tried adding a context.xml to jboss/server/all/work/localhost/web-console/
<Valve className='org.apache.catalina.valves.RemoteHostValve' allow='10.254.*.*' deny '*' / >
But it doesn't seem to be used.

I have tomcat 8 setup on ubuntu 16.04 on a remote server. I want to access the gui manager app from my local machine. Visiting the page /manager/html, I get a 403 access denied page with the follow.

All Places > JBoss AS > Installation, Configuration & Deployment > Discussions

Remoteaddrvalve Tomcat


I'm having some trouble getting RemoteAddrValve/RemoteHostValve working at the host level. It is a must-have for our client to conceal JBoss/Tomcat to the extent possible, including but not limited to disallowing log-in attempts to sensitive pages/applications; therefore, I want to use a valve to deny access to these apps except from the localhost and a few other select IP's.
I've read all the JBoss4/Tomcat5 documentation regarding these valves and visited various resources on the web. I must be dumb as a rock, but I'm still somewhat confused as to how this is supposed to be configured.
Where exactly in an embedded Tomcat instance should the 'context.xml' file(s) be placed? Please don't tell me in WEB-INF of each of the protected resources. This is supposed to be a host level deal; it seems insane to include context.xml in each of my WARs.
Any hints, tips or explanations are greatly appreciated.