Re: [Pki-users] locking down specific URL's on port 8080
I figured it out
in case any one is curious
I had to create 3 filters and filter-mapping sections in one for each
URL then I had to start it from /ee/ca/ notice I left the first /ca
prefix off.
I had to add white spacing in the url-pattern tags like so
"<url-pattern> /ee/ca/profileSelect </url-pattern>"
finally I had to put it in /var/lib/pki/pki-tomcat/ca/webapps/ca/WEB-INF/web.xml
On Thu, Jun 5, 2014 at 1:40 PM, Paul Robert Marino <prmarino1(a)gmail.com> wrote:
hello
I am currently working on a new dogtag PKI 10 install I relized
though there are 3 URL's that concern me and I would like to preven
public access to them they are
http://<FQDN>:8080/ca/ee/ca/profileSelect?profileId=<profiletypehere>,
http://<FQDN>:8080, and http://<FQDN>:8080/ca/ee/ca/profileList
im looking at a method mentioned here
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Address...
Ive tried putting in a rule into /etc/pki/pki-tomcat/web.xml like so
"
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>192\.168\.100\.\d+|192\.168\.200\.\d+</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/ca/ee/ca/profileSelect*|/ca/ee/ca/profileSubmit*|/ca/ee/ca/profileList</url-pattern>
</filter-mapping>
"
note Ive changed the subnets those are not the real ones I used in my
configuration.
Unfortunately it doesn't seem to be working.
does any one have any pointers for me or an example of what they have
used for this?